Re: [Gen-art] [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
Peter Saint-Andre <stpeter@stpeter.im> Wed, 08 December 2010 14:53 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BFB83A6956; Wed, 8 Dec 2010 06:53:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.449
X-Spam-Level:
X-Spam-Status: No, score=-101.449 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, MANGLED_LIST=2.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWuN05z+IYOl; Wed, 8 Dec 2010 06:53:26 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id A23EE3A67ED; Wed, 8 Dec 2010 06:53:26 -0800 (PST)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 603874009B; Wed, 8 Dec 2010 08:06:44 -0700 (MST)
Message-ID: <4CFF9C3C.4040906@stpeter.im>
Date: Wed, 08 Dec 2010 07:54:52 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Ben Campbell <ben@nostrum.com>
References: <4CFD8731.9060208@KingsMountain.com> <49E7482C-83CF-4341-B6FA-F75E74038F8E@nostrum.com> <4CFF13C6.8090807@stpeter.im> <0BEA063A-8BC5-4292-8F7D-79588E7256EA@nostrum.com> <4CFF83E3.9020909@stpeter.im> <81E25826-55C1-4D70-9582-CA428C93908E@nostrum.com>
In-Reply-To: <81E25826-55C1-4D70-9582-CA428C93908E@nostrum.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms060201050204070504040902"
Cc: "draft-saintandre-tls-server-id-check.all@tools.ietf.org" <draft-saintandre-tls-server-id-check.all@tools.ietf.org>, General Area Review Team <gen-art@ietf.org>, IETF cert-based identity <certid@ietf.org>, =JeffH <Jeff.Hodges@KingsMountain.com>
Subject: Re: [Gen-art] [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 14:53:49 -0000
On 12/8/10 7:37 AM, Ben Campbell wrote: > > > On Dec 8, 2010, at 7:10 AM, Peter Saint-Andre <stpeter@stpeter.im> > wrote: > >> On 12/7/10 10:45 PM, Ben Campbell wrote: >>> >>> On Dec 7, 2010, at 11:12 PM, Peter Saint-Andre wrote: >>> >>>> On 12/7/10 6:35 PM, Ben Campbell wrote: >>>>> >>>>> On Dec 6, 2010, at 7:00 PM, =JeffH wrote: >>>>> >>>>>> Peter Saint-Andre <Peter.SaintAndre@webex.com> replied.. >>>>>>> >>>>>>> On 12/3/10 2:24 PM, "Ben Campbell" <ben@nostrum.com> >>>>>>> wrote: >>>> >>>> <snip/> >>>> >>>>>>>> -- 3.1, 1st paragraph: >>>>>>>> >>>>>>>> It's probably worth emphasizing that the rules are >>>>>>>> often cumulative. I think someone thinking about these >>>>>>>> for the first time might not grasp that until they see >>>>>>>> examples later in the doc. >>>>>>> >>>>>>> I've added the second sentence to this paragraph: >>>>>>> >>>>>>> When a certification authority issues a certificate based >>>>>>> on the fully-qualified DNS domain name at which the >>>>>>> application service provider will provide the relevant >>>>>>> application, the following rules apply to the >>>>>>> representation of application service identities. The >>>>>>> reader needs to be aware that some of these rules are >>>>>>> cumulative and can interact in important ways that are >>>>>>> illustrated later in this document. >>>>>> >>>>>> LGTM. >>>>> >>>>> WFM >>>>> >>>>> In fact, as I was re-reading RFC 5922, it occurred to me to >>>>> wonder if people need guidance one way or another on the idea >>>>> of "multi-purpose" certs that might have any number of >>>>> subjectAltName entries for different purposes. I'm talking >>>>> about virtual domain hosting, or multi-protocol hosts. I >>>>> assume in the latter case, you would expect a host to use >>>>> different certs for different protocols. In the first case, >>>>> is their any guidance to give. I can't remember, do you >>>>> mention the TLS server_name extension? >>>>> >>>>> (I don't mean to suggest any real action here--just thinking >>>>> out loud about something that would have been much better to >>>>> bring up well before IETF LC. :-) ) >>>> >>>> Those scenarios are important, but IMHO how the server >>>> determines which certificate to present (e.g., based on the SNI >>>> or something else, such as the 'to' address on an XMPP stream >>>> header) is something that an application protocol specification >>>> needs to define. >>> >>> Agreed. Does this draft need to say that, or do we just take it >>> as given? >> >> I think it's appropriate to add a few words about that. I >> suggest... >> >> 1.1 >> >> ... When a client connects to an application service using >> Transport Layer Security [TLS] or Datagram Transport Layer Security >> [DTLS], it references some notion of the server's identity while >> attempting to establish a secure connection (e.g., "the website at >> example.com") and typically specifies at least the DNS domain name >> with which it is trying to communicate (e.g., using a Server Name >> Indication during TLS negotiation as described in [TLS-EXT]). >> >> 1.5 >> >> presented identifier: An identifier that is presented by a server >> to a client within a PKIX certificate when the client attempts to >> establish a secure connection with the server; the certificate can >> include one or more presented identifiers of different types, and >> the certificate presented is typically based on a DNS domain name >> specified by the client when initiating communication (e.g., using >> a Server Name Indication during TLS negotiation as described in >> [TLS-EXT]). >> > > Do you think server_name extension use is actually common enough to > call typical? I'm not saying it's not--I don't really know one way or > another. Otherwise, WFM. We could say "and if the server hosts more than one domain then the certificate presented is typically based..." Peter -- Peter Saint-Andre https://stpeter.im/
- [Gen-art] Gen-ART LC Review of draft-saintandre-t… Ben Campbell
- Re: [Gen-art] Gen-ART LC Review of draft-saintand… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… =JeffH
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Paul Hoffman
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… =JeffH
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… =JeffH
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… =JeffH
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… =JeffH
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… =JeffH
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… =JeffH
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Ben Campbell
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [Gen-art] [certid] Gen-ART LC Review of draft… =JeffH