Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)

Eric Rescorla <ekr@rtfm.com> Wed, 30 March 2011 20:18 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CBB333A6A2A for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 13:18:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.945
X-Spam-Level:
X-Spam-Status: No, score=-102.945 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXl87G1UFPlf for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 13:18:43 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 4F1303A69AB for <keyassure@ietf.org>; Wed, 30 Mar 2011 13:18:42 -0700 (PDT)
Received: by iwn39 with SMTP id 39so1858612iwn.31 for <keyassure@ietf.org>; Wed, 30 Mar 2011 13:20:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.43.62.10 with SMTP id wy10mr1675769icb.37.1301516421416; Wed, 30 Mar 2011 13:20:21 -0700 (PDT)
Received: by 10.42.217.2 with HTTP; Wed, 30 Mar 2011 13:20:21 -0700 (PDT)
In-Reply-To: <72CD6385-5FBF-41FF-90D5-71B7A2A87BE1@nzrs.net.nz>
References: <4D7BFB41.4000403@vpnc.org> <20110321092514.GE9247@anguilla.noreply.org> <AFFDB7BB-8749-4638-AB2D-9ACB617204AC@kirei.se> <20110321130430.GG9247@anguilla.noreply.org> <4BC9E139-CBC5-46EE-A18F-E8F16AE108D6@vpnc.org> <20110330091416.GI681@anguilla.noreply.org> <p06240803c9b8c1a35d7c@130.129.71.125> <F0969248-124A-4A32-9F8F-EA81B17FDE05@bbn.com> <20EEA73E-9E5E-4D8F-B70C-BD6DF37F60E6@nzrs.net.nz> <0D12CEFF-68F5-49C1-B4A9-6A0572936B3C@bbn.com> <72CD6385-5FBF-41FF-90D5-71B7A2A87BE1@nzrs.net.nz>
Date: Wed, 30 Mar 2011 22:20:21 +0200
Message-ID: <AANLkTinsivAM6W2DrpHb+a8T_CRN5=gBjBQD76=Ysbqu@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Jay Daley <jay@nzrs.net.nz>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Peter Palfrader <peter@palfrader.org>, keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 20:18:43 -0000

On Wed, Mar 30, 2011 at 10:14 PM, Jay Daley <jay@nzrs.net.nz> wrote:
>
> On 31/03/2011, at 9:03 AM, Richard L. Barnes wrote:
>
>> Nope, it's up to applications.  If you want SN/CAN *not* to be checked for HTTPS, then you need to go revise RFC 2818; for SMTP, RFC 3207; for IMAP/POP3, RFC 2595.
>
> Indeed.
>
> I assumed we were updating RFC 2818.

In that case, this document will need to be dual last called in the
TLS WG, since 2818 was a TLS product.

-Ekr