Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)

Paul Wouters <> Mon, 21 March 2011 19:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2EFD828C0DD for <>; Mon, 21 Mar 2011 12:45:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jp0JHtz58EZO for <>; Mon, 21 Mar 2011 12:44:59 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 93E0628C0D7 for <>; Mon, 21 Mar 2011 12:44:58 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id 6FB9FC57F; Mon, 21 Mar 2011 15:46:29 -0400 (EDT)
Date: Mon, 21 Mar 2011 15:46:28 -0400 (EDT)
From: Paul Wouters <>
To: Paul Hoffman <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Peter Palfrader <>,
Subject: Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Mar 2011 19:45:00 -0000

On Mon, 21 Mar 2011, Paul Hoffman wrote:

>> Why is it needed in the first place?
> That's a very good question. I don't feel that it is a "need", but it "makes some sense". That is, if I want to go to, and I get an A record for, and I get a TLSA record for, and I get a certificate that says "this key is associated with"quot;, what does it mean?
> I can see both ways: "it doesn't matter what the cert says, we are trusting the binding from the DNS" vs. "the cert needs to mean something"? Jakob and I have that text in because a number of people on the list were in the latter category, but it seems like a reasonable question to ask separately.

This is exactly why bare public keys are good for those who do not wish to deal with
a CA or making up arbitrary CN= entries in certificates only used to contain a public
key verified by DNS.

In fact, if forced to use a cert container, I would use a self signed *,
but I definitely not add a * wildcard in DNS.

Demanding information that will be filled in with bogus or unvalidatable information
makes no sense from a security point of view.