[Trans] Issue with redaction and CN-IDs

Rick Andrews <Rick_Andrews@symantec.com> Thu, 07 April 2016 23:32 UTC

Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06A4C12D65E for <trans@ietfa.amsl.com>; Thu, 7 Apr 2016 16:32:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.93
X-Spam-Level:
X-Spam-Status: No, score=-6.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5EINgKLeZ4Oj for <trans@ietfa.amsl.com>; Thu, 7 Apr 2016 16:32:39 -0700 (PDT)
Received: from tus1smtoutpex02.symantec.com (tus1smtoutpex02.symantec.com [216.10.195.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60BF312D613 for <trans@ietf.org>; Thu, 7 Apr 2016 16:32:39 -0700 (PDT)
X-AuditID: d80ac3f2-f79216d000007157-7b-5706ee16c8f1
Received: from tus1opsmtapin02.ges.symantec.com (ausy-zone.relay.symantec.com [192.168.214.44]) by tus1smtoutpex02.symantec.com (Symantec Brightmail Gateway out) with SMTP id C1.55.29015.61EE6075; Fri, 8 Apr 2016 00:32:38 +0100 (BST)
Received: from [155.64.220.193] (helo=TUS1XCHEPFPIN41.SYMC.SYMANTEC.COM) by tus1opsmtapin02.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1aoJPi-0006d5-Ji for trans@ietf.org; Thu, 07 Apr 2016 23:32:38 +0000
Received: from TUS1XCHEVSPIN42.SYMC.SYMANTEC.COM ([155.64.221.74]) by TUS1XCHEPFPIN41.SYMC.SYMANTEC.COM ([155.64.220.193]) with mapi; Thu, 7 Apr 2016 16:32:38 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: "trans@ietf.org" <trans@ietf.org>
Date: Thu, 07 Apr 2016 16:32:36 -0700
Thread-Topic: Issue with redaction and CN-IDs
Thread-Index: AdGRJaeQF6g1W+VjR2ODBtAWi3yQcA==
Message-ID: <EE9F4E95DC642B4382DD2B5E9B74AC1F5904271796@TUS1XCHEVSPIN42.SYMC.SYMANTEC.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0615_01D190EB.17B90210"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHIsWRmVeSWpSXmKPExsVyYMU1HV2xd2zhBqcOalqsfXyRxYHRY8mS n0wBjFFcNimpOZllqUX6dglcGW9/HmYtOOJe0XhLo4FxuksXIyeHhICJxKnPTSwQtpjEhXvr 2boYuTiEBN4wSmxcdBzK+c8o8eHNb3YIZwWjxKzHrawgLWwCehJbHl9hB7FFBFQlPt9vYQKx WQRUJF40PwOzhQU0JL7+nAZkcwDV6EosXqgAUa4nsez+bbAxvAJREmebOtlAbEagK76fWgPW yiwgLnHryXwmiOtEJB5ePM0GYYtKvHz8jxWiXlTiTvt6RpDbmAV6GSUOtS1kgxgqKHFy5hOW CYzCs5DMmoWsbhaSullA9zEDHdW2kRGiXl5i+9s5zBC2tcSMXwfZIGxFiSndD9khbFOJ10c/ Mi5g5FjFKFNSWmxYnFuSX1pSkFphYKRXXJmbCIynZL3k/NxNjMCYusF1+NMOxpl7HQ8xCnAw KvHwcj1gCxdiTSwDqjzEqAI07tGG1RcYpVjy8vNSlUR4W14ApXlTEiurUovy44tKc1KLDzFK c7AoifPqVASHCQmkJ5akZqemFqQWwWSZODilGhg3vHROeuv9M3+ijWVgx6XwKfOuKDy3VPPd VzrthpTCjaA/TUn6zK98ZwVY90Wmt2dH+OonWq7KuaN4YJ+l9HFmEcddSttupIkz/f7PnD6h o/5xN9vuHLsyjmkBqulTHzp2HYtw4fr/+oeCe0M77/3XKuHRUz1vsBWt9P1+5PpL8W16GwNP FCqxFGckGmoxFxUnAgB/SGWcsQIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/q3mT1tSeKJkh2TDftElF8WBlLp8>
Subject: [Trans] Issue with redaction and CN-IDs
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 23:32:41 -0000

Section 4.2 in 6962-bis says:
When a precertificate contains that extension and contains a CN-ID
   [RFC6125], the CN-ID MUST match the first DNS-ID and have the same
   labels redacted.  TLS clients will use the first entry in the
   SEQUENCE OF INTEGERs to reconstruct both the first DNS-ID and the CN-
   ID.

I'm aware of a problem (confirmed by Peter Bowen at Amazon) with Java7 and
Java8 where getting a new certificate with a different SAN ordering from the
previous one will prevent those Java clients from successfully validating
the new certificate, at least until the cache in the client expires the old
cert information. In most cases, we put the CN-ID in the first SAN field,
but there are exceptions made in cases like this.
        
I think the spec used to say that the first item in the SEQUENCE represented
the CN-ID, and I missed the discussion where that changed.

-Rick