IETF Logo Mail Archive

[pkix] Looking for some clarification on how to correctly specify rfc822Name constraint for an X.509 certificate

"martijn.list" <martijn.list@gmail.com> Sun, 17 August 2014 13:04 UTC

Return-Path: <martijn.list@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75E1B1A08A5 for <pkix@ietfa.amsl.com>; Sun, 17 Aug 2014 06:04:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rC004K9Rb5XW for <pkix@ietfa.amsl.com>; Sun, 17 Aug 2014 06:04:45 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39EB81A08A0 for <pkix@ietf.org>; Sun, 17 Aug 2014 06:04:44 -0700 (PDT)
Received: by mail-wi0-f182.google.com with SMTP id d1so2517357wiv.9 for <pkix@ietf.org>; Sun, 17 Aug 2014 06:04:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=opYYIEfN+QJR/J9QkId7LbWeoAz1j7CZK3z7StAtzNo=; b=XMeyUjbdJVecNAY62B+UfqOZX0mYO0KtELps8DRJFTIokPP16lg7xXT/U4/oOUzR7L JaWJnUIB6SN3C7vRw65QNaDWNRDyNM15RrBswplOJgV253MTCnZUb+9+ONNPDWXPUqay QLvdvvVSaMAPKx7ZMl7YZy0vB3f+H7gkIcYPaBAx+gFY6M3TBPfjhTtS57oGA2k5jMjS X6Yc7yGNJiVnrRyn6pUjbRaVEf9ZVtmZ6uceAm0NfO2dEIK8dDUQbHu/WV3unWdwKA8T k3I+rHMCGrfns38XbHer6qZE0TvleaS424vrLHmRjyrV7VvFfBE/h7PZvNlQo59jfyAJ qdgQ==
X-Received: by 10.180.24.35 with SMTP id r3mr33608480wif.71.1408280682847; Sun, 17 Aug 2014 06:04:42 -0700 (PDT)
Received: from [192.168.88.2] (095-097-250-125.static.chello.nl. [95.97.250.125]) by mx.google.com with ESMTPSA id fr2sm27190907wib.7.2014.08.17.06.04.41 for <pkix@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 17 Aug 2014 06:04:42 -0700 (PDT)
Message-ID: <53F0A868.7050200@gmail.com>
Date: Sun, 17 Aug 2014 15:04:40 +0200
From: "martijn.list" <martijn.list@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: pkix@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/-HIIl4ovm2LfbPLeeEhHTpnGyW4
Subject: [pkix] Looking for some clarification on how to correctly specify rfc822Name constraint for an X.509 certificate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Aug 2014 13:04:47 -0000

Recently we noticed that an end user S/MIME certificate was not
validated by our encryption gateway. The certificate in question was
issued by an intermediate certificate (which was again issued by a
Quovadis root) that contained an rfc822Name constraint. The rfc822Name
constraint was specified as follows:

@example.com

RFC 5280 specifies the format for rfc822Name constraints as follows:

"A name constraint for Internet mail addresses MAY specify a
particular mailbox, all addresses at a particular host, or all
mailboxes in a domain.  To indicate a particular mailbox, the
constraint is the complete mail address.  For example,
"root@example.com" indicates the root mailbox on the host
"example.com".  To indicate all Internet mail addresses on a
particular host, the constraint is specified as the host name.  For
example, the constraint "example.com" is satisfied by any mail
address at the host "example.com".  To specify any address within a
domain, the constraint is specified with a leading period (as with
URIs).  For example, ".example.com" indicates all the Internet mail
addresses in the domain "example.com", but not Internet mail
addresses on the host "example.com"."

(http://tools.ietf.org/html/rfc5280#section-4.2.1.10)

So the way I read this is that a constraint for the domain example.com
should be specified as

example.com

and not as

@example.com

This might explain why our Java based software refuses to validate the
end user certificate since test@example.com does not match the
@example.com constraint. Adding an @ symbol will also be problematic
when using the .example.com domain constraint since that would then
result in @.example.com.

To confuse things even more, Microsoft seems to mix the two options.
They use @example.com for constraining to the example.com domain but
.example.com for matching sub domains:

"UPN name constraints should always be entered as two separate entries
in the list of name constraints. One entry should include the ampersand
character (such as @nwtraders.com); the second entry should replace the
ampersand with a period (.), so this entry would be .nwtraders.com. This
format allows for the possibility of having a UPN of
subdomain.nwtraders.msft."

>From http://technet.microsoft.com/en-us/library/cc737026%28v=ws.10%29.aspx

Is there any consensus on what the correct format is according to RFC 5280?

Are there other implementations that use @example.com instead of
example.com for rfc822Name constraints?

Kind regards,

Martijn Brinkers


-- 
CipherMail email encryption

Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.

http://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

v2.23.0 | Report a Bug | By Email