IETF Logo Mail Archive

Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)

"Richard L. Barnes" <rbarnes@bbn.com> Wed, 30 March 2011 20:02 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6296428C18B for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 13:02:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.548
X-Spam-Level:
X-Spam-Status: No, score=-102.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id usMCjJD-7T9J for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 13:02:00 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 35BAB3A6BC1 for <keyassure@ietf.org>; Wed, 30 Mar 2011 13:02:00 -0700 (PDT)
Received: from [128.89.255.132] (port=60049 helo=[130.129.71.95]) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1Q51c5-000JC3-Uh; Wed, 30 Mar 2011 16:03:34 -0400
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <20EEA73E-9E5E-4D8F-B70C-BD6DF37F60E6@nzrs.net.nz>
Date: Wed, 30 Mar 2011 22:03:27 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <0D12CEFF-68F5-49C1-B4A9-6A0572936B3C@bbn.com>
References: <4D7BFB41.4000403@vpnc.org> <20110321092514.GE9247@anguilla.noreply.org> <AFFDB7BB-8749-4638-AB2D-9ACB617204AC@kirei.se> <20110321130430.GG9247@anguilla.noreply.org> <4BC9E139-CBC5-46EE-A18F-E8F16AE108D6@vpnc.org> <20110330091416.GI681@anguilla.noreply.org> <p06240803c9b8c1a35d7c@[130.129.71.125]> <F0969248-124A-4A32-9F8F-EA81B17FDE05@bbn.com> <20EEA73E-9E5E-4D8F-B70C-BD6DF37F60E6@nzrs.net.nz>
To: Jay Daley <jay@nzrs.net.nz>
X-Mailer: Apple Mail (2.1082)
Cc: Peter Palfrader <peter@palfrader.org>, keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 20:02:01 -0000

Nope, it's up to applications.  If you want SN/CAN *not* to be checked for HTTPS, then you need to go revise RFC 2818; for SMTP, RFC 3207; for IMAP/POP3, RFC 2595.

--Richard



On Mar 30, 2011, at 9:45 PM, Jay Daley wrote:

> I would argue the complete opposite - that it is in scope for DANE to state that names in certificates should not be checked because the trust chain has been provided by DNSSEC.  Doing that allows individuals and organisations to reuse certificates as they need to for operational reasons and not as dictated to by suppliers or paranoid protocol developers.
> 
> Jay
> 
> On 31/03/2011, at 12:55 AM, Richard L. Barnes wrote:
> 
>> This is outside of DANE's scope.  Checking of names in certificates is up to the application that uses TLS.
>> --Richard
>> 
>> 
>> On Mar 30, 2011, at 1:19 PM, Stephen Kent wrote:
>> 
>>> At 11:14 AM +0200 3/30/11, Peter Palfrader wrote:
>>>> On Mon, 21 Mar 2011, Paul Hoffman wrote:
>>>> 
>>>>> On Mar 21, 2011, at 6:04 AM, Peter Palfrader wrote:
>>>>>> Why is it needed in the first place?
>>>>> 
>>>>> That's a very good question. I don't feel that it is a "need", but it
>>>>> "makes some sense". That is, if I want to go to www.example.com, and I
>>>>> get an A record for www.example.com, and I get a TLSA record for
>>>>> _http._tcp.www.example.com, and I get a certificate that says "this
>>>>> key is associated with www.somethingelse.com", what does it mean?
>>>>> 
>>>>> I can see both ways: "it doesn't matter what the cert says, we are
>>>>> trusting the binding from the DNS" vs. "the cert needs to mean
>>>>> something"? Jakob and I have that text in because a number of people
>>>>> on the list were in the latter category, but it seems like a
>>>>> reasonable question to ask separately.
>>>> 
>>>> I wonder if one approach here would be to require a match if, and only
>>>> if, any naming attributes (CN, SubjectAltName) are in the certificate.
>>>> 
>>>> If there are no CN and no SAN attributes in the certificate then that
>>>> would be acceptable too.
>>>> 
>>>> Cheers,
>>>> Peter
>>> 
>>> A CN is a type of attribute in the Subject DN.  A SAN admits a variety of name types, some of which can have attributes. Do you mean to focus on DNS names as SANs or did you have a broader range of SANs in mind?
>>> 
>>> Steve
>>> _______________________________________________
>>> keyassure mailing list
>>> keyassure@ietf.org
>>> https://www.ietf.org/mailman/listinfo/keyassure
>> 
>> _______________________________________________
>> keyassure mailing list
>> keyassure@ietf.org
>> https://www.ietf.org/mailman/listinfo/keyassure
> 
> 
> -- 
> Jay Daley
> Chief Executive
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 931 6977
> mobile: +64 21 678840
>

v2.23.0 | Report a Bug | By Email