ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard

2010-07-18 13:00:19
from [Shumon Huque] [Permanent Link] 
On Sun, Jul 18, 2010 at 08:17:22AM -0700, Paul Hoffman wrote:

At 11:29 PM -0400 7/17/10, Shumon Huque wrote:

On Thu, Jul 15, 2010 at 04:29:07PM -0700, Paul Hoffman wrote:

At 4:08 PM -0700 7/15/10, The IESG wrote:

The IESG has received a request from an individual submitter to consider
the following document:

- 'Representation and Verification of Domain-Based Application Service
  Identity in Certificates Used with Transport Layer Security '
  <draft-saintandre-tls-server-id-check-08.txt> as a Proposed Standard



The middle of Section 4.2 says:
   The client then orders the list in accordance with the following
   rules:
Then, in 4.3, it checks each reference in this ordered list until
it (hopefully) finds a match. Given that it is going to do an
exhaustive search, what is the purpose of ordering?


Not sure I'm following your question, but the purpose of ordering
is to look for the subject identities in preference order (SRV/URI,
before dNSName, before Common Name etc). Once a match is found,
the search is aborted; an exhaustive search is only performed if
the matched identity is the last one or there is no match. Section
4.3 has:

  It does so by seeking a match in preference order
  and aborting the search if any presented identifier matches one of
  its reference identifiers.  The search fails if the client exhausts
  its list of reference identifiers without finding a match.


I understand that, but what is the advantage of searching in the preferred 
order over, say, searching in random order of the pile? I don't see an 
advantage of getting a result from the more-preferred identity if you are 
eventually going to accept anything.

If there is no advantage, the "sort the pile before searching" step adds 
complexity without benefit, and thus should be dropped. If there is some 
advantage, I'm fine with it being there.

--Paul Hoffman, Director
--VPN Consortium


Well, one reason would be to reduce the number of verification
steps imposed on a client by a certificate with a more preferred
or more specific identity type.

-- 
Shumon Huque
University of Pennsylvania.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: TSV-DIR review of draft-daboo-srv-caldav-05, Joe Touch
Next by Date:  Re: Nomcom Enhancements: Improving the IETF leadership selection process, Dave CROCKER
Previous by Thread:  Re: Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard, Paul Hoffman
Next by Thread:  Re: Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard, Paul Hoffman
Indexes:  [Date] [Thread] [Top] [All Lists]