Re: [certid] Review of draft-saintandre-tls-server-id-check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Sep 09, 2010 at 09:29:53PM +0200, Stefan Santesson wrote:
> On the issue of checking multiple name forms.
> 
> I would put it in another way. Web clients are typically only used to check
> the domain name and nothing else because it is the only thing they care
> about and know how to match.

Not just Web, but likely the various other applications listed 
in the appendix of draft-saintandre-tls-server-id-check also
(IMAP, POP3, LDAP, ..)

> PKI enabled clients in general are used to check numerous of name forms and
> attributes in order to determine a match.

Can you give us some examples of such applications, and where 
their subject identity matching rules are specified? Appendix
A ("Prior Art") probably should consider them.

> I think it is wrong to say as a general rule that a certificate successfully
> maps to the appropriate server if either the SRV-Name or the DNS Name
> matches. To me this is highly context dependent where different protocols
> and applications have different needs.

Yeah, I think I agree with that. Ultimately the application protocol
should decide what its (potentially arbitrarily complex) identity
matching rules should be. This is why I'm suspicious that the current
draft can successfully achieve it's supposed goal of defining some
general purpose rules or best practices.

One of the ideas was that application protocol designers often
don't want to be concerned with the complex details of certificate
matching and verification rules and would like to refer to some 
standard document that does.

> If the only thing I need to know is that the server is authorized to deliver
> the requested service for the requested domain, then SRVName match only is
> OK. If you need to know that this host is the host it claims to be, then
> it's not.
> 
> What needs to be checked is to me a typical case of local policy and one
> size does not fit all.
> 
> /Stefan
> 

-- 
Shumon Huque
University of Pennsylvania.
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]