Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)

[Paul Hoffman <paul.hoffman@vpnc.org>]

On Mar 21, 2011, at 6:04 AM, Peter Palfrader wrote:

> On Mon, 21 Mar 2011, Jakob Schlyter wrote:
> 
>> On 21 mar 2011, at 10.25, Peter Palfrader wrote:
>> 
>>> Updating the certificate and its corresponding binding in DNS is not
>>> dissimilar to updating DNSKEY and DS records: care must be taken to get
>>> the timing right, so that's a potential source of error.
>> 
>> Update TLSA resource records is very different from update DNSKEY et
>> al. - as long as you take the TTL into consideration, you can update
>> as you wish.
> 
> Create a new cert, create its hash, send to the DNS guys for inclusion.
> Wait TTL.
> Deploy new cert.
> Mail the DNS people that they can now remove the old hash.
> 
> That's not really something you want to have to do all that often.
> 
>>> But even if we do require SNI for TLSA to be useful with virtual
>>> hosting, that still means a virtual hosting provider has to create a
>>> certificate for each of the domains they want to serve[2].
>> 
>> Yes, why would that be a problem?
> 
> Why is it needed in the first place?


That's a very good question. I don't feel that it is a "need", but it "makes some sense". That is, if I want to go to www.example.com, and I get an A record for www.example.com, and I get a TLSA record for _http._tcp.www.example.com, and I get a certificate that says "this key is associated with www.somethingelse.com", what does it mean?

I can see both ways: "it doesn't matter what the cert says, we are trusting the binding from the DNS" vs. "the cert needs to mean something"? Jakob and I have that text in because a number of people on the list were in the latter category, but it seems like a reasonable question to ask separately.

--Paul Hoffman