Re: [pkix] Looking for some clarification on how to correctly specify rfc822Name constraint for an X.509 certificate
"martijn.list" <martijn.list@gmail.com> Fri, 22 August 2014 08:08 UTC
Return-Path: <martijn.list@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F9E21A0167 for <pkix@ietfa.amsl.com>; Fri, 22 Aug 2014 01:08:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_74=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id My0OGUFK0CHJ for <pkix@ietfa.amsl.com>; Fri, 22 Aug 2014 01:08:40 -0700 (PDT)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 581341A0161 for <pkix@ietf.org>; Fri, 22 Aug 2014 01:08:40 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id x48so10297864wes.17 for <pkix@ietf.org>; Fri, 22 Aug 2014 01:08:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=Dq1ZqEFAcfN+5Lie0aUcGFxOCxsS+mE2ibodf/pBY54=; b=a0RhmOomW1PPqkwrdvNgars7F39OGaCs56wHkIzYYqXYnRUDZzpDZ89Ab22666l+lL 5nxHX4DpYWyxBUekXZ3mYdqnN5ffX3KJNqNYsy134+zQT0UcskwUqHShBOFjEUacw/A1 c0GYgugM8teNf4+wDLOXE5Sy4YmdxdH+7dUsceGVEfwb//TD1YeP8BV9+QKNx3hIO89S rENNqkEfiyyaoeUWp4e7EqKsPsQUbmo1EJdODuxks92Ike6I62NeiNVf0JQF60CcfUyj FX6DvJj2rLwQ0NDAPBglVZR2owZQsaX2CyC66/8a5ke+y3W3wmoO3dD0SNb6HRLzsMOs 41wA==
X-Received: by 10.180.38.84 with SMTP id e20mr9057360wik.43.1408694917904; Fri, 22 Aug 2014 01:08:37 -0700 (PDT)
Received: from [192.168.88.2] (095-097-250-125.static.chello.nl. [95.97.250.125]) by mx.google.com with ESMTPSA id xn12sm28641475wib.13.2014.08.22.01.08.36 for <pkix@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Aug 2014 01:08:37 -0700 (PDT)
Message-ID: <53F6FA84.8090905@gmail.com>
Date: Fri, 22 Aug 2014 10:08:36 +0200
From: "martijn.list" <martijn.list@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: pkix@ietf.org
References: <53F0A868.7050200@gmail.com>
In-Reply-To: <53F0A868.7050200@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/GBArDHEgEV6HyLiOW9vjitrPtUg
Subject: Re: [pkix] Looking for some clarification on how to correctly specify rfc822Name constraint for an X.509 certificate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Aug 2014 08:08:44 -0000
Since I did not get any response, I guess my question was not clear or I should ask somewhere else. Any idea where to ask for some clarification on rfc822Name constraints (see below). Kind regards, Martijn Brinkers On 08/17/2014 03:04 PM, martijn.list wrote: > Recently we noticed that an end user S/MIME certificate was not > validated by our encryption gateway. The certificate in question was > issued by an intermediate certificate (which was again issued by a > Quovadis root) that contained an rfc822Name constraint. The rfc822Name > constraint was specified as follows: > > @example.com > > RFC 5280 specifies the format for rfc822Name constraints as follows: > > "A name constraint for Internet mail addresses MAY specify a > particular mailbox, all addresses at a particular host, or all > mailboxes in a domain. To indicate a particular mailbox, the > constraint is the complete mail address. For example, > "root@example.com" indicates the root mailbox on the host > "example.com". To indicate all Internet mail addresses on a > particular host, the constraint is specified as the host name. For > example, the constraint "example.com" is satisfied by any mail > address at the host "example.com". To specify any address within a > domain, the constraint is specified with a leading period (as with > URIs). For example, ".example.com" indicates all the Internet mail > addresses in the domain "example.com", but not Internet mail > addresses on the host "example.com"." > > (http://tools.ietf.org/html/rfc5280#section-4.2.1.10) > > So the way I read this is that a constraint for the domain example.com > should be specified as > > example.com > > and not as > > @example.com > > This might explain why our Java based software refuses to validate the > end user certificate since test@example.com does not match the > @example.com constraint. Adding an @ symbol will also be problematic > when using the .example.com domain constraint since that would then > result in @.example.com. > > To confuse things even more, Microsoft seems to mix the two options. > They use @example.com for constraining to the example.com domain but > .example.com for matching sub domains: > > "UPN name constraints should always be entered as two separate entries > in the list of name constraints. One entry should include the ampersand > character (such as @nwtraders.com); the second entry should replace the > ampersand with a period (.), so this entry would be .nwtraders.com. This > format allows for the possibility of having a UPN of > subdomain.nwtraders.msft." > >>From http://technet.microsoft.com/en-us/library/cc737026%28v=ws.10%29.aspx > > Is there any consensus on what the correct format is according to RFC 5280? > > Are there other implementations that use @example.com instead of > example.com for rfc822Name constraints? > > Kind regards, > > Martijn Brinkers > > -- CipherMail email encryption Open source email encryption gateway with support for S/MIME, OpenPGP and PDF messaging. http://www.ciphermail.com Twitter: http://twitter.com/CipherMail
- [pkix] Looking for some clarification on how to c… martijn.list
- Re: [pkix] Looking for some clarification on how … martijn.list
- Re: [pkix] Looking for some clarification on how … Erwann Abalea
- Re: [pkix] Looking for some clarification on how … Tom Gindin