Re: [xmpp] Review of draft-saintandre-tls-server-id-check
Bernard Aboba <bernard.aboba@gmail.com> Tue, 07 September 2010 00:25 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED3B83A68EF; Mon, 6 Sep 2010 17:25:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3TdipycWpP8; Mon, 6 Sep 2010 17:25:32 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 69C233A682D; Mon, 6 Sep 2010 17:25:29 -0700 (PDT)
Received: by wwj40 with SMTP id 40so5734778wwj.13 for <multiple recipients>; Mon, 06 Sep 2010 17:25:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=dJyTSguX9eOlzIROEKonhQrHAtyyWDyhltBuez9oB0U=; b=Z+N7YEiz9qEw4oX+2SZDdEujFkGJkyhhxx4yONwXSyswhGvzIMWVsQixljEYI4Ufrg Qe7szsFbzOdd4kHcmTqUHCjZ35d7dLRB1f3h+lxf1hdyIh6sTzHwacD7YxgrKAqs9Tk9 pJew8dwJWp4UJfikgO+YjTYcJVNpos7O6Vtpc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=cFTyUoOnZOpKnT0LkBcNprJctLiPOW2oZ7FY5eqmAmHLPLbbrilIlaFUSPnb7hyWOZ MqvceMgswyauMgqcYdkvlh6ec5f/D5ZP7zmFofTCfgikzY8bYzLJLBalCqZQmM30lnu1 2LWvAVaMA5NJZ2nfdk/fadeOg9v9rfh83+KRc=
Received: by 10.216.181.84 with SMTP id k62mr933947wem.76.1283819157303; Mon, 06 Sep 2010 17:25:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.70.70 with HTTP; Mon, 6 Sep 2010 17:25:37 -0700 (PDT)
In-Reply-To: <4C7D4853.8020507@stpeter.im>
References: <BLU137-W32189ED2D1B0FDFCBF639F93840@phx.gbl> <4C7C3442.9020403@stpeter.im> <BLU137-DS3BE7BD3D47980030F667A93890@phx.gbl> <4C7D4853.8020507@stpeter.im>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Mon, 06 Sep 2010 17:25:37 -0700
Message-ID: <AANLkTi=DgKbkomuZDkpwJ0+_ZzXsxVXSnXb_Cig-y2L8@mail.gmail.com>
Subject: Re: [xmpp] Review of draft-saintandre-tls-server-id-check
To: Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: multipart/alternative; boundary="001636427685d3b1f1048fa070a9"
X-Mailman-Approved-At: Tue, 07 Sep 2010 08:47:28 -0700
Cc: ietf@ietf.org, Bernard Aboba <bernard_aboba@hotmail.com>, XMPP <xmpp@ietf.org>, Cyrus Daboo <cyrus@daboo.name>, tls@ietf.org, pkix@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 00:25:34 -0000
Peter said: If that's the logic, I'd at the least like to see a "4985bis" spec make > that clear, because IMHO it's not spelled out now. > RFC 4985 refers to authentication of service discovery in Sections 1 and 2. Section 1 states: " This document specifies a name form for inclusion in X.509 certificates that may be used by a certificate relying party to verify that a particular host is authorized to provide a specific service within a domain. RFC 2782 [N3] defines a DNS RR (Resource Record) for specifying the location of services (SRV RR), which allows clients to ask for a specific service/protocol for a specific domain and get back the names of any available servers. Existing name forms in X.509 certificates support authentication of a host name. This is useful when the name of the host is known by the client prior to authentication. When a server host name is discovered through DNS RR lookup query based on service name, the client may need to authenticate the server's authorization to provide the requested service in addition to the server's host name. While DNS servers may have the capacity to provide trusted information, there may be many other situations where the binding between the name of the host and the provided service needs to be supported by additional credentials. Current dNSName GeneralName Subject Alternative name form only provides for DNS host names to be expressed in "preferred name syntax", as specified by RFC 1034 [N4]. This definition is therefore not broad enough to allow expression of a service related to that domain. " Section 2 states: " Even though this name form is based on the service resource record (SRV RR) definition in RFC 2782 [N3] and may be used to enhance subsequent authentication of DNS-based service discovery, this standard does not define any new conditions or requirements regarding use of SRV RR for service discovery or where and when such use is appropriate. "
- Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check =JeffH
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: [xmpp] Review of draft-saintandre-tls-server-… Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Martin Rex
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Why require EKU for certid? Paul Hoffman
- Re: Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Martin Rex
- RE: [TLS] Why require EKU for certid? Jim Schaad
- Re: [certid] Why require EKU for certid? Henry B. Hotz