Re: [TLS] Review of draft-saintandre-tls-server-id-check
Peter Saint-Andre <stpeter@stpeter.im> Wed, 22 September 2010 16:32 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F089D28C0DC; Wed, 22 Sep 2010 09:32:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.254
X-Spam-Level:
X-Spam-Status: No, score=-102.254 tagged_above=-999 required=5 tests=[AWL=-0.255, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id INiWxTXspKo9; Wed, 22 Sep 2010 09:32:38 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 36EDD3A6A97; Wed, 22 Sep 2010 09:32:38 -0700 (PDT)
Received: from moveme.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id B078A40074; Wed, 22 Sep 2010 10:37:58 -0600 (MDT)
Message-ID: <4C9A2FBF.30007@stpeter.im>
Date: Wed, 22 Sep 2010 10:33:03 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.12) Gecko/20100914 Thunderbird/3.0.8
MIME-Version: 1.0
To: "t.petch" <daedulus@btconnect.com>
References: <C8B43C8F.EE18%stefan@aaa-sec.com> <4C8E78A9.7040608@stpeter.im> <007c01cb55a9$b2175a60$4001a8c0@gateway.2wire.net>
In-Reply-To: <007c01cb55a9$b2175a60$4001a8c0@gateway.2wire.net>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, IETF cert-based identity <certid@ietf.org>, ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] Review of draft-saintandre-tls-server-id-check
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 16:32:40 -0000
On 9/16/10 8:15 AM, t.petch wrote: > ----- Original Message ----- > From: "Peter Saint-Andre" <stpeter@stpeter.im> > To: "Stefan Santesson" <stefan@aaa-sec.com> > Sent: Monday, September 13, 2010 9:16 PM > >> On 9/13/10 12:39 PM, Stefan Santesson wrote: >>> On 10-09-13 6:08 PM, "Peter Saint-Andre" <stpeter@stpeter.im> wrote: >>>> >>>> Hi Shumon, >>>> >>>> As I see it, this I-D is attempting to capture best current practices >>>> regarding the issuance and checking of certificates containing >>>> application server identities. Do we have evidence that any existing >>>> certification authorities issue certificates containing both an SRVname >>>> for the source domain (e.g., example.com) and dNSName for the target >>>> domain (e.g., apphosting.example.net)? Do we have evidence that any >>>> existing application clients perform such checks? If not, I would >>>> consider such complications to be out of scope for this I-D. >>>> >>>> That said, we need to be aware that if such usage arises in the future, >>>> someone might write a document that updates or obsoletes this I-D; in >>>> fact the present authors very much expect that such documents will >>>> emerge after the Internet community (specifically certification >>>> authorities, application service providers, and application client >>>> developers) have gained more experience with PKIX certificates in the >>>> context of various application technologies. >>>> >>>> Peter >>> >>> I would like to turn the question around and ask why this specification need >>> to have an opinion on whether a relying party feels he have to check both >>> host name and service? >> >> Stop right there. :) I sense a possible source of confusion. What do you >> mean by "host name" and what do you mean by "service"? >> >> In this I-D, we talk about "DNS domain name" and "service type", which >> map quite well to _Service.Name from RFC 4985: the DNS domain name is >> the "source domain" provided by the user or configured into the client >> (e.g., "example.com") and the "service type" is a given application >> protocol that could be serviced by the source domain (e.g., "IMAP"). >> >> This I-D is attempting to gently nudge people in the direction of >> checking both the DNS domain name and the service type. IMHO this is >> consistent with considering the SRVName and uniformResourceIdentifier >> subjectAltName entries as more tightly scoped than dNSName or CN, and >> therefore as potentially more "secure" in some sense (the subject might >> want to limit use of a particular certificate to only the service type >> identified in the SRVName or uniformResourceIdentifier). > > <tp> > Ah, that explains a lot; I knew I smelt a rat, I just did not realise how big it > was:-) It is fine if you want to nudge Certificate Authorities into issuing > certs with SRVName but you should put that up front, in the Abstract eg > "This memo encourages Certificate Authorities to issue certificates with SRVName > names" > > Otherwise people are likely to expend effort on this memo which will turn out to > be unproductive; as this thread has established, SRVName do exist, but not in > many places, which makes this memo of rather limited scope. > > I wondered why the emphasis on server names had grown and grown, in the I-D and > on this thread, an emphasis which to me seemed a distraction and irrelevance, > and now I see why; nothing wrong, just needs making this explicit. > > Tom Petch > > </tp> Thanks for your feedback. As a way of orienting the reader, Jeff and I are discussing the possibility of adding a section to the introduction that provides an informational overview of the recommendations contained in the document. Peter -- Peter Saint-Andre https://stpeter.im/
- Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
- Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
- Re: [TLS] Review of draft-saintandre-tls-server-i… Bernard Aboba
- Re: [TLS] Review of draft-saintandre-tls-server-i… =JeffH
- Re: [TLS] [xmpp] Review of draft-saintandre-tls-s… Bernard Aboba
- Re: [TLS] Review of draft-saintandre-tls-server-i… James Schaad
- Re: [TLS] [xmpp] Review of draft-saintandre-tls-s… Bernard Aboba
- Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
- Re: [TLS] Review of draft-saintandre-tls-server-i… James Schaad
- Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
- Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
- [TLS] Why require EKU for certid? Paul Hoffman
- Re: [TLS] Why require EKU for certid? Peter Saint-Andre
- Re: [TLS] Why require EKU for certid? Jim Schaad
- Re: [TLS] [certid] Why require EKU for certid? Martin Rex
- Re: [TLS] [certid] Why require EKU for certid? Henry B. Hotz