IETF Logo Mail Archive

[TLS] RE: Last call comments for draft-santesson-tls-(ume-04, supp-00)

"Stefan Santesson" <stefans@microsoft.com> Tue, 04 April 2006 22:28 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FQu0R-0004Gj-81; Tue, 04 Apr 2006 18:28:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FQu0Q-0004Ge-1J for tls@ietf.org; Tue, 04 Apr 2006 18:28:10 -0400
Received: from mail-eur.microsoft.com ([213.199.128.145]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FQu0O-00045k-K4 for tls@ietf.org; Tue, 04 Apr 2006 18:28:10 -0400
Received: from EUR-MSG-11.europe.corp.microsoft.com ([65.53.193.196]) by mail-eur.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 4 Apr 2006 23:28:07 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 04 Apr 2006 23:28:04 +0100
Message-ID: <BF9309599A71984CAC5BAC5ECA62994404932373@EUR-MSG-11.europe.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Last call comments for draft-santesson-tls-(ume-04,supp-00)
thread-index: AcZYFH6yJQiIvnziS5uq+CsGNaB11QAIhSTw
From: Stefan Santesson <stefans@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, Pasi.Eronen@nokia.com
X-OriginalArrivalTime: 04 Apr 2006 22:28:07.0688 (UTC) FILETIME=[0C25B080:01C65837]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc: tls@ietf.org
Subject: [TLS] RE: Last call comments for draft-santesson-tls-(ume-04, supp-00)
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

I'm sorry if my text was unclear.

If you specify UPN, then domain is automatically included in the UPN.
I'm preparing a new text proposal. I will send it tomorrow morning.
That will include processing and normalization of the domain component
which is Unicode UTF-8 normalized with Nameprep.


Stefan Santesson
Program Manager, Standards Liaison
Windows Security


> -----Original Message-----
> From: Russ Housley [mailto:housley@vigilsec.com]
> Sent: den 4 april 2006 20:15
> To: Stefan Santesson; Pasi.Eronen@nokia.com
> Cc: tls@ietf.org
> Subject: RE: Last call comments for
draft-santesson-tls-(ume-04,supp-00)
> 
> It is okay with me, but your description does not match the
> text.  Based on your note, the domain must be present, and the upn is
> optional.  The text that Pasi quoted needs to be replaced with a
> sentence that says this.
> 
> Then, you need to add a paragraph that explains the processing when
> only the domain is present, and then an paragraph that explains the
> processing when both the domain and the upn are present.
> 
> Russ
> 
> 
> At 07:07 PM 4/3/2006, Stefan Santesson wrote:
> >Sometimes it is sufficient to specify the domain as the user name is
> >provided by the cert but that cert is used to access multiple
accounts
> >in different domains. In other cases the full name@domain is needed.
> >
> >We chose to provide for both alternatives using the same hint type.
> >This works well and I would prefer to keep it that way.
> >
> >
> >Stefan Santesson
> >Program Manager, Standards Liaison
> >Windows Security
> >
> >
> > > -----Original Message-----
> > > From: Russ Housley [mailto:housley@vigilsec.com]
> > > Sent: den 3 april 2006 17:10
> > > To: Pasi.Eronen@nokia.com; Stefan Santesson
> > > Cc: tls@ietf.org
> > > Subject: RE: Last call comments for
> >draft-santesson-tls-(ume-04,supp-00)
> > >
> > > Pasi:
> > >
> > > My comments were with respect to the user_principal_name within
the
> > > UpnDomainHint.  Sorry for being ambiguous.
> > >
> > > Russ
> > >
> > >
> > > >Russ Housley wrote:
> > > > >
> > > > > Pasi:
> > > > >
> > > > > >4) tls-ume: Would it make sense to define two UserMappingData
> >types,
> > > > > >    one for "user@domain" and another one for just "domain",
> >instead
> > > > > >    of combining them in one type?
> > > > >
> > > > > I do not think so.  The name is user@domain.  It would be
> >meaningless
> > > > > if only user was present, and t would me meaningless if only
> >domain
> > > > > was present.
> > > >
> > > >I don't know if it's meaningless or not, but the current draft
does
> > > >say that
> > > >
> > > >    The UpnDomainHint MUST at least contain a non empty
> > > >    user_principal_name or a non empty domain_name. The
UpnDomainHint
> > > >    MAY contain both user_principal_name and domain_name.
> > > >
> > > >In other words, one of the fields can be empty. And since the
> > > >user_principal_name field is of the form "user@domain",
> > > >it looks like the UpnDomainHint structure can actually contain
> > > >two _different_ domain names. In other words, the spec does
> > > >allow things like:
> > > >
> > > >   UserMappingData {
> > > >     user_mapping_version = upn_domain_hint(0)
> > > >     UpnDomainHint {
> > > >       user_principal_name = "foo@example.com"
> > > >       domain_name = "bar.example.net"
> > > >     }
> > > >   }
> > > >
> > > >But the draft currently does not explain what this would mean,
> > > >or what the domain-name-only hints are (perhaps they're "Host
Mapping
> > > >Data" for host certificates instead of user certs, or something).
> > > >This needs to be clarified.
> > > >
> > > >Best regards,
> > > >Pasi


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email