Hi Paul,
Paul Hoffman wrote:
At 2:54 PM -0600 6/11/10, Peter Saint-Andre wrote:
Version -05 of draft-saintandre-tls-server-id-check has some warning
text about Domain Components (DCs). However, the more I delve the matter
the less I think that we need to warn people away from using DCs from a
security perspective. The problem with them would arise from confusion
about the order of DCs based on the string representation, however that
kind of confusion is possible for any RDNs and is not limited to DCs (so
follow the DER order, not the string order). There might be other
reasons to discourage DCs, but so far I have not heard them, so I'm
inclined to remove the warnings from -06.
Do speak up if you're concerned about this proposal.
Finally decloaking after being off this topic for a while.
I am *quite* concerned about this. The DC ordering problem is not "based on the
string representation": it is because the set of DCs can be read *by the program* in
two directions.
For example, think about a cert with "dc=com dc=net". Both net.com and com.net
exist today. For different applications, that one cert could apply to two completely
different domains.
I personally I don't care if DCs are allowed or not by this document.
But if DCs are to be prohibited in this document, I want to make sure
that the document gives the right reason for that.
The order of RDNs in a DN is fixed. So you are saying that there are
buggy implementations (and maybe most of them are buggy) which don't
read RDNs in the correct order, that is why we need to prohibit use of
DCs in subjectName?
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
