[quicwg/base-drafts] Mandating use of CN-ID is not modern practice (#4769)
Martin Thomson <notifications@github.com> Wed, 20 January 2021 02:50 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62F323A0C77 for <quic-issues@ietfa.amsl.com>; Tue, 19 Jan 2021 18:50:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.349
X-Spam-Level:
X-Spam-Status: No, score=-3.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2gD5fWMfF5HM for <quic-issues@ietfa.amsl.com>; Tue, 19 Jan 2021 18:50:57 -0800 (PST)
Received: from smtp.github.com (out-18.smtp.github.com [192.30.252.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D57343A0C6F for <quic-issues@ietf.org>; Tue, 19 Jan 2021 18:50:56 -0800 (PST)
Received: from github.com (hubbernetes-node-fad2226.va3-iad.github.net [10.48.113.23]) by smtp.github.com (Postfix) with ESMTPA id D38C83405B8 for <quic-issues@ietf.org>; Tue, 19 Jan 2021 18:50:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1611111055; bh=34IIXp4lmAfx2aDr/6hFnzmQQ2A1cXl6K4mb5JWgFBo=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=sfW2cUiaS1esSGisfCd04kETfEvEnhpQADS0QSB2aTndtETF1J00XBW3pvjHVKxH+ H3Xe/pAHmAKLB6YFEOYYLGkOgKF8jbds7kfcMfIlDvhZ0M2Q4C3BdOZ4TkyPlOUjwR lsfwR0OJ/QI4rh41va0oF57U3AsKMhheFaj5PwdA=
Date: Tue, 19 Jan 2021 18:50:55 -0800
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKYCJIZK4LEUVIYRGNN6CN5Y7EVBNHHC6EAH7Q@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/4769@github.com>
Subject: [quicwg/base-drafts] Mandating use of CN-ID is not modern practice (#4769)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_60079a8fd01da_4a1a04164054"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/iaNSoieTZsYY8kJSgUqkDYPTrb8>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 02:50:58 -0000
@kaduk's review of -http identified use of the subject:commonName field in validating server identity. We should not elevate CN-ID to MUST. In doing so, we invalidate what CABF has done: 7.1.4.2.2 clause a of the Baseline Requirements marks subject:commonName as deprecated and discouraged. My understanding (which I can confirm) is that browsers do not use CN-ID (concretely, the CN field of the certificate subject) and so we might want to just mention the dNSName type of subjectAltName here. We can *mention* that some clients might use subject:commonName, but that this is a deprecated practice. This accounts for some of the older certificate validation code that still exists in some places. Some of that does rely on the common name. I realize that this likely breaks new ground for the RFC series, and it likely needs more discussion, but maybe we can keep up with the times with this document. (I apologize for not having caught this earlier; I think that this is copied from elsewhere and that too needs a refresh.) _Originally posted by @martinthomson in https://github.com/quicwg/base-drafts/pull/4767#discussion_r560635858_ -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/4769
- [quicwg/base-drafts] Mandating use of CN-ID is no… Martin Thomson
- Re: [quicwg/base-drafts] Mandating use of CN-ID i… kaduk
- Re: [quicwg/base-drafts] Mandating use of CN-ID i… Lars Eggert
- Re: [quicwg/base-drafts] Mandating use of CN-ID i… Mike Bishop
- Re: [quicwg/base-drafts] Mandating use of CN-ID i… Mike Bishop
- Re: [quicwg/base-drafts] Mandating use of CN-ID i… Mike Bishop
- Re: [quicwg/base-drafts] Mandating use of CN-ID i… Lucas Pardue
- Re: [quicwg/base-drafts] Mandating use of CN-ID i… Lucas Pardue