IETF Logo Mail Archive

Re: [certid] Review of draft-saintandre-tls-server-id-check

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 13 September 2010 16:17 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B826E3A6A0A for <ietf@core3.amsl.com>; Mon, 13 Sep 2010 09:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.464
X-Spam-Level:
X-Spam-Status: No, score=-100.464 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_05=-1.11, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrxH3-+kjnVK for <ietf@core3.amsl.com>; Mon, 13 Sep 2010 09:17:11 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 783543A6872 for <ietf@ietf.org>; Mon, 13 Sep 2010 09:17:11 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o8DGH2HB007426 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Sep 2010 09:17:04 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624083dc8b3fe8cef8f@[10.20.30.158]>
In-Reply-To: <4C8E4C6B.3040803@stpeter.im>
References: <20100908195349.GA4292@isc.upenn.edu> <C8ADC7ED.EBA4%stefan@aaa-sec.com> <20100909182253.GB3460@isc.upenn.edu> <4C8E4C6B.3040803@stpeter.im>
Date: Mon, 13 Sep 2010 09:17:01 -0700
To: Peter Saint-Andre <stpeter@stpeter.im>, Shumon Huque <shuque@isc.upenn.edu>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [certid] Review of draft-saintandre-tls-server-id-check
Content-Type: text/plain; charset="us-ascii"
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, IETF cert-based identity <certid@ietf.org>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2010 16:17:12 -0000

At 10:08 AM -0600 9/13/10, Peter Saint-Andre wrote:
>As I see it, this I-D is attempting to capture best current practices
>regarding the issuance and checking of certificates containing
>application server identities. Do we have evidence that any existing
>certification authorities issue certificates containing both an SRVname
>for the source domain (e.g., example.com) and dNSName for the target
>domain (e.g., apphosting.example.net)? Do we have evidence that any
>existing application clients perform such checks? If not, I would
>consider such complications to be out of scope for this I-D.

A big +1 here. It is a Good Thing that people are starting to look at the interaction between SRV and security (it's also happening on the keyassure list), but it definitely seems like "starting to look at". Please do not instantiate anything until this has been discussed more widely.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email