RE: [TLS] Why require EKU for certid?
"Jim Schaad" <ietf@augustcellars.com> Thu, 23 September 2010 02:28 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0455D3A6A64; Wed, 22 Sep 2010 19:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBrepEOUvQ4B; Wed, 22 Sep 2010 19:28:37 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by core3.amsl.com (Postfix) with ESMTP id 019F33A6A2D; Wed, 22 Sep 2010 19:28:37 -0700 (PDT)
Received: from TITUS (unknown [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTP id 9EC3D6A423; Wed, 22 Sep 2010 19:29:04 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Paul Hoffman' <paul.hoffman@vpnc.org>, 'Peter Saint-Andre' <stpeter@stpeter.im>, 'Stefan Santesson' <stefan@aaa-sec.com>
References: <C8B4E80F.EE82%stefan@aaa-sec.com> <4C9A2D12.3020409@stpeter.im> <p0624084ac8bfe10f5b72@[10.20.30.158]>
In-Reply-To: <p0624084ac8bfe10f5b72@[10.20.30.158]>
Subject: RE: [TLS] Why require EKU for certid?
Date: Wed, 22 Sep 2010 19:36:20 -0700
Message-ID: <001301cb5ac8$1d01fe20$5705fa60$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQD4cSCKDZYsaq0DFZ4yur+K64x8SgEr1WV4AyGf4EKUokHOsA==
Content-Language: en-us
X-Mailman-Approved-At: Thu, 23 Sep 2010 10:32:52 -0700
Cc: 'IETF cert-based identity' <certid@ietf.org>, ietf@ietf.org, tls@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 02:28:38 -0000
> -----Original Message----- > From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Paul > Hoffman > Sent: Wednesday, September 22, 2010 9:44 AM > To: Peter Saint-Andre; Stefan Santesson > Cc: IETF cert-based identity; ietf@ietf.org; tls@ietf.org > Subject: [TLS] Why require EKU for certid? > > At 10:21 AM -0600 9/22/10, Peter Saint-Andre wrote: > >On 9/14/10 12:51 AM, Stefan Santesson wrote: > > > General: > >> I would consider stating that server certificates according to this > >> profile either MUST or SHOULD have the serverAuth EKU set since it is > >> allways related to the use of TSL and server authentication. At least > >> it MUST be set when allowing checks of the CN-ID (see 2.3 below). > > > >Jeff and I are still discussing this topic and do not yet have > >editorial agreement about how to proceed. > > This is not editorial, this is definitely technical. What possible advantage is > there to making certificates that do not have this flag set be excluded from the > practices you are defining? That is, if a TLS client gets a certificate from a TLS > server that the TLS server says is its authentication certificate, why should the > client care whether or not that flag is set? That flag is an assertion from the CA, > not from the server who is authenticating. > > > > 2.3 > > > It would be good if we could restrict the use of CN-ID for storing a > > > domain name to the case when the serverAuth EKU is set. Requiring > > > the EKU reduce the probability that the CN-ID appears to be a domain > > > name by accident or is a domain name in the wrong context. > > That makes no sense from an operational standpoint. The inclusion of an EKU > has nothing to do with the decision-making for the domain name location. > > > > In many deployments, this also affects the name constraints > > > processing to > >> perform domain name constraints also on the CN attribute. > > True, and irrelevant. > > > > There should at least be a rule stating that any client that accepts > > > the CN > >> attribute to carry the domain name MUST also perform name constraints > >> on this attribute using the domain name logic if name constraints is > >> applied to the path. Failing this requirement poses a security threat > >> if the claimed domain name in CN-ID violated the name constraints set for > domain names. > > Fully disagree. I also agree that this is not something that I would ever like to see as a required element. Applying name constraint logic in places that it should not be performed is something that is very hard on any certificate evaluation logic. I think it would be much more an issue of "asking" CAs not to issue certificates that have this characteristic. Jim > > > --Paul Hoffman, Director > --VPN Consortium > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check =JeffH
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: [xmpp] Review of draft-saintandre-tls-server-… Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Martin Rex
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Why require EKU for certid? Paul Hoffman
- Re: Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Martin Rex
- RE: [TLS] Why require EKU for certid? Jim Schaad
- Re: [certid] Why require EKU for certid? Henry B. Hotz