Re: [pkix] Looking for some clarification on how to correctly specify rfc822Name constraint for an X.509 certificate
Tom Gindin <tgindin@us.ibm.com> Wed, 27 August 2014 02:31 UTC
Return-Path: <tgindin@us.ibm.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790D11A037A for <pkix@ietfa.amsl.com>; Tue, 26 Aug 2014 19:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.268
X-Spam-Level:
X-Spam-Status: No, score=-4.268 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, J_CHICKENPOX_74=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rl4MFwr-A9H4 for <pkix@ietfa.amsl.com>; Tue, 26 Aug 2014 19:31:46 -0700 (PDT)
Received: from e9.ny.us.ibm.com (e9.ny.us.ibm.com [32.97.182.139]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8B711A0373 for <pkix@ietf.org>; Tue, 26 Aug 2014 19:31:45 -0700 (PDT)
Received: from /spool/local by e9.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <pkix@ietf.org> from <tgindin@us.ibm.com>; Tue, 26 Aug 2014 22:31:44 -0400
Received: from d01dlp02.pok.ibm.com (9.56.250.167) by e9.ny.us.ibm.com (192.168.1.109) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 26 Aug 2014 22:31:43 -0400
Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id 5E0966E8045 for <pkix@ietf.org>; Tue, 26 Aug 2014 22:31:31 -0400 (EDT)
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id s7R2Vg1l8192442 for <pkix@ietf.org>; Wed, 27 Aug 2014 02:31:42 GMT
Received: from d01av01.pok.ibm.com (localhost [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s7R2VglU013409 for <pkix@ietf.org>; Tue, 26 Aug 2014 22:31:42 -0400
Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.63.10.95]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id s7R2VgvB013377 for <pkix@ietf.org>; Tue, 26 Aug 2014 22:31:42 -0400
In-Reply-To: <CA+i=0E5tptc7ETcuK9xsWWj4gHbbDP3nWTHW++ZEvvGQNTEghA@mail.gmail.com>
References: <53F0A868.7050200@gmail.com> <53F6FA84.8090905@gmail.com> <CA+i=0E5tptc7ETcuK9xsWWj4gHbbDP3nWTHW++ZEvvGQNTEghA@mail.gmail.com>
To: Erwann Abalea <eabalea@gmail.com>
MIME-Version: 1.0
X-KeepSent: F847790D:96691646-85257D3F:00754D90; type=4; name=$KeepSent
X-Mailer: IBM Notes Release 9.0.1 October 14, 2013
From: Tom Gindin <tgindin@us.ibm.com>
Message-ID: <OFF847790D.96691646-ON85257D3F.00754D90-85257D41.000DE30B@us.ibm.com>
Date: Tue, 26 Aug 2014 22:31:40 -0400
X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 9.0.1FP1|April 03, 2014) at 08/26/2014 22:31:41, Serialize complete at 08/26/2014 22:31:41
Content-Type: multipart/alternative; boundary="=_alternative 000DE21B85257D41_="
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 14082702-7182-0000-0000-0000004B408B
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/Fl6BY2Qa5T_W8TAiBFkIPnsBLKE
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Looking for some clarification on how to correctly specify rfc822Name constraint for an X.509 certificate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 02:31:49 -0000
Erwann:
That's not my reading of the section. Three different cases are
given for rfc822Name constraints, and the single-mailbox one contains an
embedded at sign. However, none of them start with an at sign. It's
pretty clear that the improper constraint in the example was intended to
be equivalent to the domain-name-only format with no leading period, and
should thus have been encoded with the at sign missing. No compliant RP
is required to interpret it, of course.
Tom Gindin
From: Erwann Abalea <eabalea@gmail.com>
To: "martijn.list" <martijn.list@gmail.com>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Date: 08/22/2014 06:04 AM
Subject: Re: [pkix] Looking for some clarification on how to
correctly specify rfc822Name constraint for an X.509 certificate
Sent by: "pkix" <pkix-bounces@ietf.org>
In my view, there's no confusion in RFC5280. "@" is not required/accepted
in a rfc822Name element.
The fact that Microsoft choses another format for otherName:UPN does not
change the rfc822Name semantics (while validating against
NameConstraints).
2014-08-22 10:08 GMT+02:00 martijn.list <martijn.list@gmail.com>:
Since I did not get any response, I guess my question was not clear or I
should ask somewhere else. Any idea where to ask for some clarification
on rfc822Name constraints (see below).
Kind regards,
Martijn Brinkers
On 08/17/2014 03:04 PM, martijn.list wrote:
> Recently we noticed that an end user S/MIME certificate was not
> validated by our encryption gateway. The certificate in question was
> issued by an intermediate certificate (which was again issued by a
> Quovadis root) that contained an rfc822Name constraint. The rfc822Name
> constraint was specified as follows:
>
> @example.com
>
> RFC 5280 specifies the format for rfc822Name constraints as follows:
>
> "A name constraint for Internet mail addresses MAY specify a
> particular mailbox, all addresses at a particular host, or all
> mailboxes in a domain. To indicate a particular mailbox, the
> constraint is the complete mail address. For example,
> "root@example.com" indicates the root mailbox on the host
> "example.com". To indicate all Internet mail addresses on a
> particular host, the constraint is specified as the host name. For
> example, the constraint "example.com" is satisfied by any mail
> address at the host "example.com". To specify any address within a
> domain, the constraint is specified with a leading period (as with
> URIs). For example, ".example.com" indicates all the Internet mail
> addresses in the domain "example.com", but not Internet mail
> addresses on the host "example.com"."
>
> (http://tools.ietf.org/html/rfc5280#section-4.2.1.10)
>
> So the way I read this is that a constraint for the domain example.com
> should be specified as
>
> example.com
>
> and not as
>
> @example.com
>
> This might explain why our Java based software refuses to validate the
> end user certificate since test@example.com does not match the
> @example.com constraint. Adding an @ symbol will also be problematic
> when using the .example.com domain constraint since that would then
> result in @.example.com.
>
> To confuse things even more, Microsoft seems to mix the two options.
> They use @example.com for constraining to the example.com domain but
> .example.com for matching sub domains:
>
> "UPN name constraints should always be entered as two separate entries
> in the list of name constraints. One entry should include the ampersand
> character (such as @nwtraders.com); the second entry should replace the
> ampersand with a period (.), so this entry would be .nwtraders.com. This
> format allows for the possibility of having a UPN of
> subdomain.nwtraders.msft."
>
>>From
http://technet.microsoft.com/en-us/library/cc737026%28v=ws.10%29.aspx
>
> Is there any consensus on what the correct format is according to RFC
5280?
>
> Are there other implementations that use @example.com instead of
> example.com for rfc822Name constraints?
--
Erwann. _______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Looking for some clarification on how to c… martijn.list
- Re: [pkix] Looking for some clarification on how … martijn.list
- Re: [pkix] Looking for some clarification on how … Erwann Abalea
- Re: [pkix] Looking for some clarification on how … Tom Gindin