Re: [pkix] Amendment to CABF Baseline Requirements
"Erik Andersen" <era@x500.eu> Mon, 10 April 2017 15:13 UTC
Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABDED12953F for <pkix@ietfa.amsl.com>; Mon, 10 Apr 2017 08:13:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMvNDczFWxOc for <pkix@ietfa.amsl.com>; Mon, 10 Apr 2017 08:13:20 -0700 (PDT)
Received: from mail02.dandomain.dk (mail02.dandomain.dk [194.150.112.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED0E5129536 for <pkix@ietf.org>; Mon, 10 Apr 2017 08:13:16 -0700 (PDT)
Received: from Morten ([62.44.134.150]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201704101713121242 for <pkix@ietf.org>; Mon, 10 Apr 2017 17:13:12 +0200
From: Erik Andersen <era@x500.eu>
To: pkix@ietf.org
References: <906f1c1dde4f44789646197d887da312@EX2.corp.digicert.com>
In-Reply-To: <906f1c1dde4f44789646197d887da312@EX2.corp.digicert.com>
Date: Mon, 10 Apr 2017 17:13:11 +0200
Message-ID: <000001d2b20c$f8031930$e8094b90$@x500.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01D2B21D.BB9007E0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQLbax/O6ZBps7Ft6UeYTkOEFrZPhJ+tOOjQ
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/gtacwScaS-T-pCN4HxzwaNfWVbg>
Subject: Re: [pkix] Amendment to CABF Baseline Requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 15:13:24 -0000
Hi Ben and others, I responded to the upper bound issue before reading Bens question. I have a comment not related to the commonName attribute type. The commonName is being (mis)used for all kind of things, so you cannot know what the syntax really is, which should cause interworking problems. The use of commonName should possibly be deprecated. As to use the commonName for holding an FQDN, it is a little problematic. The matching rule for FQDNs is a little more complicated than the one for commonName. X.520 has a dsnName attribute type and as it is rather new it has not upper bound specification. It is defined as: 6.2.15 Domain name A value of attribute type dnsName is used for holding a DNS domain name, which may be an internationalized domain name (IDN). dnsName ATTRIBUTE ::= { WITH SYNTAX DomainName EQUALITY MATCHING RULE dnsNameMatch LDAP-SYNTAX dnsString.&id LDAP-NAME {"DNS name"} ID id-at-dnsName } DomainName ::= UTF8String (CONSTRAINED BY { -- Conforms to the format of a (internationalized) domain name. -- }) A value of the DomainName data type shall be in the syntax, as specified by section 2.3.1 of IETF RFC 5890 meaning that a domain name is a sequence of labels in the letters, digits, hyphen (LDH) format separated by dots. A label may be in three formats: a) All characters in the label are from the Basic Latin collection as defined by ISO/IEC 10646 (i.e., having code points in the ranges 002D, 0030-0039, 0041-005A and 0061-007A) and it does not start with "xn--". The maximum length is 63 octets. b) It is an A-label as defined in IETF RFC 5890, i.e., it starts with the "xn--" and is a U-label converted to valid ASCII characters as in item a) using the Punycode algorithm defined by IETF RFC 3492. The converted string shall be maximum 59 octets. To be valid, it shall be possible for an A-label to be converted to a valid U-label. NOTE 1 An A-label is normally not human readable. c) It is a U-label as defined in IETF RFC 5890, i.e., it contains characters outside the Basic Latin collection. A valid U-label shall not include any characters that are not included in the restricted Unicode repertoire as defined by IETF RFC 5892 and it shall be convertible to a valid A-label as defined in item b). A valid U-label may be more than 63 octets. NOTE 2 In a constraint environment, it is recommended to use a domain name whenever possible, according to item a). NOTE 3 When used as a naming attribute, a unique distinguished name may be constructed using only this attribute type. An attribute of type dnsName to be used as a distinguished name in a public-key certificate or in an attribute certificate shall be a fully-qualified domain name (FQDN), i.e., it shall identify a particular entity. An FQDN may have an asterisk ('*') as an additional leftmost label, which is a substitute (wildcard) for all labels at the next levels of subdomains of the domain identified by the FQDN without the asterisk. An attribute of type dnsName holding an FQDN with a wildcard label may in some cases be used in the subject component of an end-entity public-key certificate. The corresponding matching rule is defined as: 8.9.2 DNS name match The dnsNameMatch compares two values of type dnsName for equality and is defined as: dnsNameMatch MATCHING-RULE ::= { SYNTAX DomainName LDAP-SYNTAX dnsString.&id LDAP-NAME {"dnsNameMatch"} ID id-mr-dnsNameMatch } The equality matching is performed label for label. If the number of the labels in the two attribute values are different, the rule shall return FALSE. The rule shall return TRUE for each pair of labels matched for the rule to return TRUE for the two values. Otherwise, it shall return FALSE. The matching of the individual labels shall be performed as follows: a) If one of the labels to be compared is of the type defined in item a) of clause 6.2.15 and the other label is either an A-label or a U-label as defined in IETF RFC 5890, the rule shall return FALSE. b) If the two labels are of the same type, they shall be compared following the rules for caseIgnoreMatch. c) If one the labels is of type A-label and the other one is of type U-label, the latter shall be converted to an A-label before comparison following the rules for caseIgnoreMatch. In addition, the following applies if one or both of the values have wildcard ('*') labels: d) If at least one of the values contains more than one wildcard label or if a wildcard label is not the leftmost label, the rule shall return FALSE. e) If one or both the values has a wildcard as the leftmost label, the remaining labels shall be matched as stated in a) to c) above and shall return TRUE or FALSE accordingly. NOTE The effect of the wildcard match is that *.example.com will match a.example.com and b.example.com but not a.b.example.com nor example.com. Erik Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Ben Wilson Sendt: 06 April 2017 18:24 Til: pkix@ietf.org Emne: [pkix] Amendment to CABF Baseline Requirements Does anyone want to comment on my draft amendment to the CA/Browser Forums Baseline Requirements for SSL/TLS Certificates which would remove the 64-character limit on the commonName and organizationName, as an exception to RFC 5280? The text of the relevant Baseline Requirement provision is found below with the proposed additional language in ALL CAPS. The reason for the first change (commonName) is there are FQDNs (in Subject Alternative Names) that are longer than 64 characters. The reason for the second change (organizationName) is that there are organizations with names longer than 64 characters. 7.1.4.2.2. Subject Distinguished Name Fields a. Certificate Field: subject:commonName (OID 2.5.4.3) Required/Optional: Deprecated (Discouraged, but not prohibited) Contents: If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificates subjectAltName extension (see Section 7.1.4.2.1). MAXIMUM LENGTH: NO STIPULATION. (THIS IS AN EXCEPTION TO RFC 5280 WHICH SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.) b. Certificate Field: subject:organizationName (OID 2.5.4.10) Optional. Contents: If present, the subject:organizationName field MUST contain either the Subjects name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows Company Name Incorporated, the CA MAY use Company Name Inc. or Company Name. Because Subject name attributes for individuals (e.g. givenName (2.5.4.42) and surname (2.5.4.4)) are not broadly supported by application software, the CA MAY use the subject:organizationName field to convey a natural person Subjects name or DBA. MAXIMUM LENGTH: 256 CHARACTERS (THIS IS AN EXCEPTION TO RFC 5280 WHICH SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.) Thanks, Ben Wilson
- Re: [pkix] Amendment to CABF Baseline Requirements Russ Housley
- Re: [pkix] Amendment to CABF Baseline Requirements Russ Housley
- Re: [pkix] Amendment to CABF Baseline Requirements Russ Housley
- Re: [pkix] Amendment to CABF Baseline Requirements Erik Andersen
- Re: [pkix] Amendment to CABF Baseline Requirements Erik Andersen
- Re: [pkix] Amendment to CABF Baseline Requirements Carl Wallace
- Re: [pkix] Amendment to CABF Baseline Requirements Jeremy Rowley
- Re: [pkix] Amendment to CABF Baseline Requirements Jim Schaad
- Re: [pkix] Amendment to CABF Baseline Requirements Sill, Alan
- Re: [pkix] Amendment to CABF Baseline Requirements Carl Wallace
- Re: [pkix] Amendment to CABF Baseline Requirements Erik Andersen
- [pkix] Amendment to CABF Baseline Requirements Ben Wilson
- Re: [pkix] Amendment to CABF Baseline Requirements Carl Wallace
- Re: [pkix] Amendment to CABF Baseline Requirements Jeremy Rowley
- Re: [pkix] Amendment to CABF Baseline Requirements Michael StJohns
- Re: [pkix] Amendment to CABF Baseline Requirements Carl Wallace
- Re: [pkix] Amendment to CABF Baseline Requirements Ben Wilson
- Re: [pkix] Amendment to CABF Baseline Requirements Russ Housley
- Re: [pkix] Amendment to CABF Baseline Requirements Peter Bowen
- Re: [pkix] Amendment to CABF Baseline Requirements Erwann Abalea
- Re: [pkix] Amendment to CABF Baseline Requirements Erik Andersen
- Re: [pkix] Amendment to CABF Baseline Requirements Rob Stradling
- Re: [pkix] Amendment to CABF Baseline Requirement… Martin Rex
- Re: [pkix] Amendment to CABF Baseline Requirements Michael StJohns