Re: Request for new work item - Defining an SRV RR otherName
Sam Hartman <hartmans-ietf@mit.edu> Fri, 20 May 2005 20:20 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11020 for <pkix-archive@lists.ietf.org>; Fri, 20 May 2005 16:20:57 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4KJdY4a046608; Fri, 20 May 2005 12:39:34 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4KJdYfY046607; Fri, 20 May 2005 12:39:34 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (CARTER-ZIMMERMAN.MIT.EDU [18.18.3.197]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4KJdYSk046598 for <ietf-pkix@imc.org>; Fri, 20 May 2005 12:39:34 -0700 (PDT) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id A401FE0063; Fri, 20 May 2005 15:39:14 -0400 (EDT)
To: ietf-pkix@imc.org
Subject: Re: Request for new work item - Defining an SRV RR otherName
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Fri, 20 May 2005 15:39:14 -0400
Message-ID: <tsl1x81offh.fsf@cz.mit.edu>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi. I'm speaking as an individual not as an AD. This proposal was originally introduced as a use of dnsname in the Kerberos working group for pkinit. The authors of the proposal would like to name services as they are identified by users. For example a user types foo.bar.example.com into some program. The program looks up a SRV record for some service and then connects to that service. If insecure DNS is used then the dns lookup should not be part of the name against which a certificate is checkde. We're seeing a similar situation in the kitten working group ; see draft-ietf-kitten-gssapi-domain-based-names-00.txt. The idea of this proposal is that the certificate contain the name that the client system would look up in the same form as the client uses to look in DNS. I'm not sure how this proposal has evolved since it was first presented to me. Originally the goal was so that application libraries could use some sort of automatic mechanism to: * Look up SRV records * Bind to TLS certificates * Find the Kerberos principal name * Bind to pkinit certificates. All the application author would do would be to pass the service protocol and name into some magic function. That bothers me. There is no guarantee that the SRV record tag will match the GSS/Kerberos principal name. There is no guarantee that the service in question doesn't have some better choice for certificate binding like one of the IMPP-specific solutions. I'm also not quite sure that SRV tags are real/really the right thing to be binding to. If the PKIX working group does adopt this proposal I would recommend being very careful. Make sure to scope it only to be used for applications/services where it is appropriate. Make sure to discuss applications that already have a mechanism for binding their certificates. It might also be important to find out if there is actually a use case for this name type before standardizing it. There wasn't really that much support in krb-wg for the earlier version of this. --Sam
- Request for new work item - Defining an SRV RR ot… Stefan Santesson
- RE: Request for new work item - Defining an SRV R… Manger, James H
- Re: Request for new work item - Defining an SRV R… Jean-Marc Desperrier
- RE: Request for new work item - Defining an SRV R… Stefan Santesson
- Re: Request for new work item - Defining an SRV R… Sam Hartman
- RE: Request for new work item - Defining an SRV R… Stefan Santesson
- RE: Request for new work item - Defining an SRV R… Stefan Santesson
- Re: Request for new work item - Defining an SRV R… Sam Hartman
- RE: Request for new work item - Defining an SRV R… Stefan Santesson
- RE: Request for new work item - Defining an SRV R… Tom Gindin
- RE: Request for new work item - Defining an SRV R… Stefan Santesson