Re: [TLS] [certid] Why require EKU for certid?

Martin Rex <mrex@sap.com> Thu, 23 September 2010 16:13 UTC

From: Martin Rex <mrex@sap.com>
Message-Id: <201009231613.o8NGDiL2016566@fs4113.wdf.sap.corp>
To: paul.hoffman@vpnc.org
Date: Thu, 23 Sep 2010 18:13:44 +0200
In-Reply-To: <p0624084ac8bfe10f5b72@[10.20.30.158]> from "Paul Hoffman" at Sep 22, 10 09:44:13 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Cc: certid@ietf.org, ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] [certid] Why require EKU for certid?
Precedence: list
Reply-To: mrex@sap.com

Paul Hoffman wrote:
> 
>>> There should at least be a rule stating that any client that accepts the CN
>>> attribute to carry the domain name MUST also perform name constraints on
>>> this attribute using the domain name logic if name constraints is applied to
>>> the path. Failing this requirement poses a security threat if the claimed
>>> domain name in CN-ID violated the name constraints set for domain names.
> 
> Fully disagree.

I do agree with Paul that something is very wrong about this paragraph.

What it seems to request is that dNSName SAN name constraints ought
to be performed on CN-ID if server endpoint identification is
performed with CN-ID.

Since there is a requirement to use (issue) DNS-IDs in server certs,
and a requirement to ignore CN-ID when DNS-ID is present, such a
name constraints processing scheme looks awkward to me.

Name Constraints (and its processing) is something that is specified
in PKIX Internet Certificate and CRL profile (rfc-5280 and its
predecessor rfc-3280) plus some ISO-specs (btw. are these publicly
available anywhere), and that is normally implemented entirely within
the certificate path validation of the PKI software.

The BCP for server endpoint identification with TLS is something,
that according to the last sentence of section 1 of all TLS specs
is a matter of the application on top of TLS.

A CA with name constraints for DNSName SANs (required critical according
to rfc5280, mind you) in its own CA certificate that issues TLS server
certificates without dNSName SANs yields "fubar" on my scorecard.

The support of CN-IDs is "legacy" and retained for backwards
compatibility with the installed base.

Those that need the backwards compatibility will _not_ disable
the matching fallback if DNSName SANs are present, and they're
even more unlikely to adopt such a weird name constraints
processing of a fallback they shouldn't be doing in the 
first place and keep doing only to not interfere with
installed base.

-Martin

Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
Re: [TLS] Review of draft-saintandre-tls-server-i… Bernard Aboba
Re: [TLS] Review of draft-saintandre-tls-server-i… =JeffH
Re: [TLS] [xmpp] Review of draft-saintandre-tls-s… Bernard Aboba
Re: [TLS] Review of draft-saintandre-tls-server-i… James Schaad
Re: [TLS] [xmpp] Review of draft-saintandre-tls-s… Bernard Aboba
Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
Re: [TLS] Review of draft-saintandre-tls-server-i… James Schaad
Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
Re: [TLS] Review of draft-saintandre-tls-server-i… Peter Saint-Andre
[TLS] Why require EKU for certid? Paul Hoffman
Re: [TLS] Why require EKU for certid? Peter Saint-Andre
Re: [TLS] Why require EKU for certid? Jim Schaad
Re: [TLS] [certid] Why require EKU for certid? Martin Rex
Re: [TLS] [certid] Why require EKU for certid? Henry B. Hotz