ietf
[Top] [All Lists]

Re: Review of draft-saintandre-tls-server-id-check

2010-09-08 17:50:06
On 9/8/10 8:21 AM, Stefan Santesson wrote:
My apology,

I just realized that the document defines "source domain" as what I thought
would be the "target domain"

   source domain:  The fully-qualified DNS domain name that a client
      expects an application service to present in the certificate.

Which makes my comments below a bit wrong.

I think it would be better to discuss this in terms of "reference
identifier" and "presented Identifier".

   presented identifier:  An identifier that is presented by a server to
      a client within the server's PKIX certificate when the client
      attempts to establish a secure connection with the server; the
      certificate can include one or more presented identifiers of
      different types.

   reference identifier:  An identifier that is used by the client for
      matching purposes when checking the presented identifiers; the
      client can attempt to match multiple reference identifiers of
      different types.

I see no problem in obtaining the reference identifier from a DNS lookup an
the comparing it with a presented identifier in the certificate.

Why would you require the reference identity to be provided by a human user?

Because the user is trying to connect to (say) a source domain of
example.com, not a target domain of apps.hosting.net. Jeff and I have
assumed all along that normal humans don't know anything about such
hosting services or other delegated parties (heck, normal humans know
very little about SSL/TLS or certificates or DNS resolution or any of
the other magic that happens behind the scences, but we assume that
normal humans at least think they want to connect to bigbank.com and not
possiblyshadydelegationservice.info).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>