IETF Logo Mail Archive

Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 05 August 2010 18:28 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 216D73A687D; Thu, 5 Aug 2010 11:28:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.235
X-Spam-Level:
X-Spam-Status: No, score=-3.235 tagged_above=-999 required=5 tests=[AWL=0.364, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6UB0DUzBPsW; Thu, 5 Aug 2010 11:28:00 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 260D33A67E3; Thu, 5 Aug 2010 11:28:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1281032912; x=1312568912; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20Nicolas.Williams@oracle.com,=20pgut001@cs.auckland .ac.nz|Subject:=20Re:=20[pkix]=20[TLS]=20=20New=20version =20of=20Multiple=20OCSP=20mode=20of=20Certificate|Cc:=20m rex@sap.com,=20pkix@ietf.org,=20tls@ietf.org|In-Reply-To: =20<20100805164717.GJ5213@oracle.com>|Message-Id:=20<E1Oh 5B3-00032M-JX@wintermute02.cs.auckland.ac.nz>|Date:=20Fri ,=2006=20Aug=202010=2006:28:25=20+1200; bh=PIxKEhOF6QnyRhjt4QEfX7mueTzvlOxRfrL3JLTzHpw=; b=SDEf5NL+/I+clE4MkWVUe4zat5hkaWaqk3tLpMWEmmQt3A1fRaiWPAHo sXIn5gckJV0muTr30xIMjNdQ5dj9M9dbD0B+0LFKXpNdBAMEJrNWC1gmK PiXgXYqNuyLwgLZ+Xb7ziYp2jUz8GM12Ei3cnqmsKXVysagB09dcqODQr g=;
X-IronPort-AV: E=Sophos;i="4.55,324,1278244800"; d="scan'208";a="19416665"
X-Ironport-HAT: UNIVERSITY - $RELAY-THROTTLE
X-Ironport-Source: 130.216.207.92 - Outgoing - Outgoing
Received: from wintermute02.cs.auckland.ac.nz ([130.216.207.92]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 06 Aug 2010 06:28:26 +1200
Received: from pgut001 by wintermute02.cs.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1Oh5B3-00032M-JX; Fri, 06 Aug 2010 06:28:25 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nicolas.Williams@oracle.com, pgut001@cs.auckland.ac.nz
In-Reply-To: <20100805164717.GJ5213@oracle.com>
Message-Id: <E1Oh5B3-00032M-JX@wintermute02.cs.auckland.ac.nz>
Date: Fri, 06 Aug 2010 06:28:25 +1200
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2010 18:28:02 -0000

Nicolas Williams <Nicolas.Williams@oracle.com> writes:

>The constraint can be such that only a hostname can be provided.

And how do you specify appropriate restrictions to make something "only a
hostname"?  Look at the endless battle in browsers with various ways of
representing IP addresses that don't look anything like IP addresses.  Also,
what if the hostname is something inside your network?  In addition if I can
spoof DNS responses (pretty easy because I can get you to query hostnames like
<randomgibberish>.com which your corporate-internal resolver won't have cached
so it has to go to an external server) I can make the hostname reside at any
address I want, including RFC 1918 ones.

Peter.

v2.23.0 | Report a Bug | By Email