IETF Logo Mail Archive

Re: [Gen-art] [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

Peter Saint-Andre <stpeter@stpeter.im> Tue, 07 December 2010 19:54 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFD1F3A6884; Tue, 7 Dec 2010 11:54:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.492
X-Spam-Level:
X-Spam-Status: No, score=-102.492 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8QFRo+Q+FC5; Tue, 7 Dec 2010 11:54:44 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id B796F3A67FF; Tue, 7 Dec 2010 11:54:44 -0800 (PST)
Received: from dhcp-64-101-72-234.cisco.com (dhcp-64-101-72-234.cisco.com [64.101.72.234]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 348E24009B; Tue, 7 Dec 2010 13:07:57 -0700 (MST)
Message-ID: <4CFE9159.2050502@stpeter.im>
Date: Tue, 07 Dec 2010 12:56:09 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4CFD8731.9060208@KingsMountain.com> <4CFDB3CF.60507@stpeter.im> <p0624081ec923fc207345@[10.20.30.150]>
In-Reply-To: <p0624081ec923fc207345@[10.20.30.150]>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms090605010105090507050501"
Cc: Ben Campbell <ben@nostrum.com>, General Area Review Team <gen-art@ietf.org>, IETF cert-based identity <certid@ietf.org>, =JeffH <Jeff.Hodges@KingsMountain.com>, draft-saintandre-tls-server-id-check.all@tools.ietf.org
Subject: Re: [Gen-art] [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 19:54:46 -0000

On 12/7/10 8:01 AM, Paul Hoffman wrote:
> [[ Much abbreviated ]]
> 
> At 9:10 PM -0700 12/6/10, Peter Saint-Andre wrote:
>>>>> -- 3.1, rule 6:
>>>>>
>>>>> Can you motivate why this is not a MUST NOT?
>>> The reason for allowing this wiggle-room is that (for better or worse)..
>>>
>>>   1. the CA/Browser Forum Extended Validation (EV) Certificate Guidelines
>>>      explicitly allow for multiple CN-IDs
>>>
>>>   2. It's a not-totally-uncommon current practice to have certs that do
>>> have
>>>      mutiple CN-IDs, eg from Comodo (whether EV or DV (domain valivdated)).
>>>
>>>   3. Virtual hosting multiple distinct-domain TLS servers on one entity is
>>>      difficult today if one desires wide desktop client support because
>>>      a certain vendor's older-but-still-widely-deployed-OS does not (yet?)
>>>      support the TLS Server Name Indication extension. Thus having one
>>>      cert with all the domains jammed in it (as either/both CN-IDs or/and
>>>      DNS-IDs) is a workaround (eg Content Delivery Networks use this).
>>>
>>>
>>> So some argue that if we MUST NOT multiple CN-IDs at this point, it is
>>> flying in the face of present reality and might contribute to acquiring
>>> an attained reputation for this BCP that is lower than we desire.
>>>
>>> There is also concern on the part of CA folk about client-side TLS libs
>>> and their support for name matching (ie some (old?) one(s) will only
>>> match on CN-ID).
>>>
>>> For a CA perspective on all the above, see...
>>>
>>> Re: [certid] weird CN-IDs (subjectCommonName) in SSL Labs Survey Data
>>> http://www.ietf.org/mail-archive/web/certid/current/msg00502.html
>>
>> +1 to all that.
> 
> Putting an explanation such as the above in the document will help future IETFs to decide when to make this a MUST NOT. It might also help the CA/Browser Forum and specific CAs see that they should stop doing this ASAP, and maybe even convince a particular legacy OS vendor to support TLS SNI.

Sigh. I don't particularly want to add a long informational note that
qualifies eight words in the spec, but you're right. :)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email