Re: [certid] Review of draft-saintandre-tls-server-id-check
Shumon Huque <shuque@isc.upenn.edu> Tue, 14 September 2010 15:44 UTC
Return-Path: <shuque@isc.upenn.edu>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 736ED3A6987; Tue, 14 Sep 2010 08:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.552
X-Spam-Level:
X-Spam-Status: No, score=-3.552 tagged_above=-999 required=5 tests=[AWL=-0.953, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNlfTZvJhtWz; Tue, 14 Sep 2010 08:44:47 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 592CB3A6944; Tue, 14 Sep 2010 08:44:47 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id D54942724; Tue, 14 Sep 2010 11:45:12 -0400 (EDT)
Date: Tue, 14 Sep 2010 11:45:12 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Dave Cridland <dave@cridland.net>
Subject: Re: [certid] Review of draft-saintandre-tls-server-id-check
Message-ID: <20100914154512.GA8206@isc.upenn.edu>
References: <C8B43307.EE07%stefan@aaa-sec.com> <8252.1284405167.326805@puncture>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <8252.1284405167.326805@puncture>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, IETF cert-based identity <certid@ietf.org>, IETF-Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2010 15:44:49 -0000
On Mon, Sep 13, 2010 at 08:12:47PM +0100, Dave Cridland wrote: > On Mon Sep 13 18:59:03 2010, Stefan Santesson wrote: > >I agree here. Both to this and to former speakers stating that the > >assertion > >is made by the CA and no the subject. > > > Well, I'd say the assertion is the presence of the SAN in the cert. I > mean, an assertion is a positive statement made *without* evidence. > The evidence is then the signature of the issuer, who certifies the > assertion - it doesn't matter who makes that assertion. But anyway, > that's somewhat moot, and as Shumon points out, we needn't care about > who authorized what unto whom. Yeah, that's what I meant. Thanks for articulating that more clearly than I did Dave! RFC 4985 specifies the SRVName othername form. The act of authorizing a particular identity to be in a certificate is more related to who issued and signed the certificate, and the act of verifying that authorization is related to the client authenticating the signature of the certificate and building a chain of trust from the issuer back to a trust anchor that it has configured. 4985 doesn't need to say any more on that subject since it's already covered by base PKIX specs. > "The requested DNS domain name for the specified service. That is, > the domain name which would be found in the URI for the service, and > other protocol identifiers of a similar nature. Where the service is > directly requested by hostname, this domain name would be the > requested hostname." > > I think that covers all the cases I'd expect by example, without > worrying about who's asserting and certifying. No doubt someone will > reword with a sprinkling of 2119. > > Dave. This particular sub thread is about errata to 4985, right? If so, I don't think it should mention "URI" or "identifiers of a similar nature". Or are you proposing more general text for inclusion in draft-saintandre-tls-server-id-check? For 4985, I think your first sentence is sufficient by itself. "The requested DNS domain name for the specified service." Or, if we want to elaborate more, I'd suggest: "The requested DNS domain name for the specified service. This is the "Name" component of the corresponding DNS SRV record." Actually, what would be really useful is if the document provided an actual example of an SRV record and and SRVName, right after the definitions in Section 2. Lack of clear examples is a very common problem with many IETF specifications. -- Shumon Huque University of Pennsylvania.
- Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check =JeffH
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: [xmpp] Review of draft-saintandre-tls-server-… Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Martin Rex
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Why require EKU for certid? Paul Hoffman
- Re: Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Martin Rex
- RE: [TLS] Why require EKU for certid? Jim Schaad
- Re: [certid] Why require EKU for certid? Henry B. Hotz