IETF Logo Mail Archive

Re: [TLS] Certificate validation can of worms

Santosh Chokhani <SChokhani@cygnacom.com> Wed, 09 April 2014 14:15 UTC

Return-Path: <SChokhani@cygnacom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B84F71A0318 for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 07:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.274
X-Spam-Level:
X-Spam-Status: No, score=-0.274 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rThgXojXUCjs for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 07:15:13 -0700 (PDT)
Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 2BD5A1A031B for <tls@ietf.org>; Wed, 9 Apr 2014 07:15:13 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.97,826,1389762000"; d="scan'208";a="2571314"
Received: from unknown (HELO scygexch10.cygnacom.com) ([10.4.60.26]) by ipedge1.cygnacom.com with ESMTP; 09 Apr 2014 10:15:12 -0400
Received: from SCYGEXCH10.cygnacom.com ([::1]) by scygexch10.cygnacom.com ([::1]) with mapi id 14.02.0247.003; Wed, 9 Apr 2014 10:15:12 -0400
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: [TLS] Certificate validation can of worms
Thread-Index: AQHPUG9nRS10t5Ha0EyLKsoi0FgTh5sG4JsA///FM+CAAE2tgIABHNfAgABNPYCAAPmJEA==
Date: Wed, 09 Apr 2014 14:15:11 +0000
Message-ID: <4262AC0DB9856847A2D00EF817E81139179393@scygexch10.cygnacom.com>
References: <4262AC0DB9856847A2D00EF817E811391789E8@scygexch10.cygnacom.com> <20140407213051.8B5E11ACAA@ld9781.wdf.sap.corp> <4262AC0DB9856847A2D00EF817E81139178FE7@scygexch10.cygnacom.com> <CAK3OfOjj_5mKGA5CGcgFbeGzpSoPB7k6rfomD+BwKK-D13n7CA@mail.gmail.com>
In-Reply-To: <CAK3OfOjj_5mKGA5CGcgFbeGzpSoPB7k6rfomD+BwKK-D13n7CA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.117.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vADIKYc4oRRe_j3OLwWX5B7_lcI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 14:15:17 -0000

Nico,

As far as CN is concerned, assuming that the path validation engine resides in a lower layer in the software stack and services a variety of protocols and applications, it would not make sense for RFC 5280 to specify this.  But, in order to facilitate what you are saying, I am an advocate of outputting the state of the name constraints as part of Section 6.1.6 of RFC 5280.  This would consist of permitted subtrees sets and excluded subtrees sets.  This output will allow higher layer protocols and applications to perform name constraints on CN.  For example, S/MIME application can verify if the e-mail address in the CN passes name constraints.

By your second part, I assume you mean when the DN contains domainComponnent attributes.  Section 4.1.2.4 of 5280 says these are not required to be converted to DNS names.  Thus, one need not apply DNS based name constraints to such DN.  I can see when the DN has a mix of attributes this leading to problems.  It is better to provide guidance to the CAs to assert the corresponding names as DNS name as well.  BTW, anything one does in this area should be applied uniformly to the Subject DN or DN in SAN.  I also did not see the discussion of this in RFC 6125.  May be I missed it or you meant something else altogether.

-----Original Message-----
From: Nico Williams [mailto:nico@cryptonector.com] 
Sent: Tuesday, April 08, 2014 3:07 PM
To: Santosh Chokhani
Cc: mrex@sap.com; tls@ietf.org
Subject: Re: [TLS] Certificate validation can of worms

On Tue, Apr 8, 2014 at 1:40 PM, Santosh Chokhani <SChokhani@cygnacom.com> wrote:

I agree with what you say, but there is one area where I think name constraints could be improved: when a certificate has no subjectAlternativeNames, or only directoryNames when it does, and those names are RFC6125-style, then if the CA certs in the validation path have dNSName name constraints then those should be applied to the CN RDNs of the subjectName and/or dirname SANs that bear the domainnames.  To my knowledge this isn't codified, but correct me if I'm wrong.

Nico
--

v2.23.0 | Report a Bug | By Email