On Thu, Sep 09, 2010 at 09:29:53PM +0200, Stefan Santesson wrote:
On the issue of checking multiple name forms.
I would put it in another way. Web clients are typically only used to check
the domain name and nothing else because it is the only thing they care
about and know how to match.
Not just Web, but likely the various other applications listed
in the appendix of draft-saintandre-tls-server-id-check also
(IMAP, POP3, LDAP, ..)
PKI enabled clients in general are used to check numerous of name forms and
attributes in order to determine a match.
Can you give us some examples of such applications, and where
their subject identity matching rules are specified? Appendix
A ("Prior Art") probably should consider them.
I think it is wrong to say as a general rule that a certificate successfully
maps to the appropriate server if either the SRV-Name or the DNS Name
matches. To me this is highly context dependent where different protocols
and applications have different needs.
Yeah, I think I agree with that. Ultimately the application protocol
should decide what its (potentially arbitrarily complex) identity
matching rules should be. This is why I'm suspicious that the current
draft can successfully achieve it's supposed goal of defining some
general purpose rules or best practices.
One of the ideas was that application protocol designers often
don't want to be concerned with the complex details of certificate
matching and verification rules and would like to refer to some
standard document that does.
If the only thing I need to know is that the server is authorized to deliver
the requested service for the requested domain, then SRVName match only is
OK. If you need to know that this host is the host it claims to be, then
What needs to be checked is to me a typical case of local policy and one
size does not fit all.
University of Pennsylvania.
Ietf mailing list