Re: [Syslog] -transport-tls references to "matching rules"
"tom.petch" <cfinss@dial.pipex.com> Thu, 29 May 2008 15:22 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE03C3A6AB0; Thu, 29 May 2008 08:22:56 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A275A3A6BB2 for <syslog@core3.amsl.com>; Thu, 29 May 2008 08:22:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_16=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhHguz5H6VA3 for <syslog@core3.amsl.com>; Thu, 29 May 2008 08:22:42 -0700 (PDT)
Received: from mk-outboundfilter-5.mail.uk.tiscali.com (mk-outboundfilter-5.mail.uk.tiscali.com [212.74.114.1]) by core3.amsl.com (Postfix) with ESMTP id 6DBA528C0E8 for <syslog@ietf.org>; Thu, 29 May 2008 08:21:48 -0700 (PDT)
X-Trace: 35693215/mk-outboundfilter-5.mail.uk.tiscali.com/PIPEX/$ACCEPTED/pipex-temporary-group/213.116.60.113
X-SBRS: None
X-RemoteIP: 213.116.60.113
X-IP-MAIL-FROM: cfinss@dial.pipex.com
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsEAH9mPkjVdDxx/2dsb2JhbACLbaQPAw
X-IronPort-AV: E=Sophos;i="4.27,562,1204502400"; d="scan'208";a="35693215"
X-IP-Direction: IN
Received: from 1cust113.tnt106.lnd4.gbr.da.uu.net (HELO allison) ([213.116.60.113]) by smtp.pipex.tiscali.co.uk with SMTP; 29 May 2008 16:21:43 +0100
Message-ID: <009f01c8c196$a8d14000$0601a8c0@allison>
From: "tom.petch" <cfinss@dial.pipex.com>
To: Rainer Gerhards <rgerhards@hq.adiscon.com>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <577465F99B41C842AAFBE9ED71E70ABA3090D9@grfint2.intern.adiscon.com><AC1CFD94F59A264488DC2BEC3E890DE505E7E83C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA3090E0@grfint2.intern.adiscon.com>
Date: Thu, 29 May 2008 16:15:20 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Cc: syslog@ietf.org
Subject: Re: [Syslog] -transport-tls references to "matching rules"
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "tom.petch" <cfinss@dial.pipex.com>
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
I think that the I-D has got a bit mangled. I liked, and may have been responsible for, the reference to RFC2818 as being an example of the checks to perform on a certificate, written about a well-known application by someone familiar with TLS:-) This was the basis for our validation rules, CN deprecated, subjectAltName must be used as an identity etc and it helped (me) to know where they came from. The mention of certificates warranted a reference and that was provided by RFC3280. This reference was never about validation rules. We did not used to have certificate path validation. We do now and I do not know a good reference for it; I agree that RFC3280 et seq is not it. This lack I see as a(nother?) deficiency on the part of the security engineers:-( Tom Petch ----- Original Message ----- From: "Rainer Gerhards" <rgerhards@hq.adiscon.com> To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Cc: <syslog@ietf.org> Sent: Thursday, May 29, 2008 8:21 AM Subject: Re: [Syslog] -transport-tls references to "matching rules" > Mhhh... Wouldn't it then be appropriate to drop these sentences from > transport-tls: > > ### > Matching for certificate credentials is performed using the > matching rules specified by [3]. > ### > > They created the impression (at least for me), I need to look up the > rule in 5280 in order to implement -tls correctly. As you now say, this > is not the case (it may be with internationalized names on subject name > matching, but it seems not to be in other cases, namely for ipAddress, > where it is specified, too). > > Rainer > > > -----Original Message----- > > From: Joseph Salowey (jsalowey) [mailto:jsalowey@cisco.com] > > Sent: Thursday, May 29, 2008 3:01 AM > > To: Rainer Gerhards; syslog@ietf.org > > Subject: RE: [Syslog] -transport-tls references to "matching rules" > > > > The only place 5280 goes into great detail about matching is with > > internationalized names. I don't think it specifies any specific > rules > > for matching the iPaddress within a subjectAltName. This is left up > > to > > the definition by the application making use of the certificates. > I'm > > not sure we need to standardize matching behavior unless it affects > the > > representation within the certificates (for example including > wildcards > > in the identities). > > > > Joe > > > > > > > > > -----Original Message----- > > > From: syslog-bounces@ietf.org > > > [mailto:syslog-bounces@ietf.org] On Behalf Of Rainer Gerhards > > > Sent: Wednesday, May 28, 2008 8:41 AM > > > To: syslog@ietf.org > > > Subject: [Syslog] -transport-tls references to "matching rules" > > > > > > Hi, > > > > > > -transport-tls refers (as [3] to RFC 5280), e.g. "Matching > > > for certificate credentials is performed using the matching > > > rules specified by [3]." I am revisiting 5280 to find the > > > matching rules for ipAddress. However, this is a nearly 150 > > > page document and I admit I do not know its ins and outs. It > > > would be really helpful if a section is mentioned inside the > > > reference so that one can quickly look up the rules. > > > > > > And, a hopefully quick question, where do I find the rules > > > for ipAddress? I was unable to bring it up on a quick look. > > > > > > Thanks, > > > Rainer > > > _______________________________________________ > > > Syslog mailing list > > > Syslog@ietf.org > > > https://www.ietf.org/mailman/listinfo/syslog > > > > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] -transport-tls references to "matching r… Rainer Gerhards
- Re: [Syslog] -transport-tls references to "matchi… Joseph Salowey (jsalowey)
- Re: [Syslog] -transport-tls references to "matchi… Rainer Gerhards
- Re: [Syslog] -transport-tls references to "matchi… tom.petch
- Re: [Syslog] -transport-tls references to "matchi… tom.petch
- Re: [Syslog] -transport-tls references to "matchi… t.petch
- Re: [Syslog] -transport-tls references to "matchi… Joseph Salowey (jsalowey)
- [Syslog] we are finished - was: RE: -transport-tl… Rainer Gerhards