I think that the I-D has got a bit mangled. I liked, and may have been responsible for, the reference to RFC2818 as being an example of the checks to perform on a certificate, written about a well-known application by someone familiar with TLS:-) This was the basis for our validation rules, CN deprecated, subjectAltName must be used as an identity etc and it helped (me) to know where they came from.
The mention of certificates warranted a reference and that was provided by RFC3280. This reference was never about validation rules. We did not used to have certificate path validation. We do now and I do not know a good reference for it; I agree that RFC3280 et seq is not it. This lack I see as a(nother?) deficiency on the part of the security engineers:-( Tom Petch ----- Original Message ----- From: "Rainer Gerhards" <[EMAIL PROTECTED]> To: "Joseph Salowey (jsalowey)" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Thursday, May 29, 2008 8:21 AM Subject: Re: [Syslog] -transport-tls references to "matching rules" > Mhhh... Wouldn't it then be appropriate to drop these sentences from > transport-tls: > > ### > Matching for certificate credentials is performed using the > matching rules specified by [3]. > ### > > They created the impression (at least for me), I need to look up the > rule in 5280 in order to implement -tls correctly. As you now say, this > is not the case (it may be with internationalized names on subject name > matching, but it seems not to be in other cases, namely for ipAddress, > where it is specified, too). > > Rainer > > > -----Original Message----- > > From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED] > > Sent: Thursday, May 29, 2008 3:01 AM > > To: Rainer Gerhards; [email protected] > > Subject: RE: [Syslog] -transport-tls references to "matching rules" > > > > The only place 5280 goes into great detail about matching is with > > internationalized names. I don't think it specifies any specific > rules > > for matching the iPaddress within a subjectAltName. This is left up > > to > > the definition by the application making use of the certificates. > I'm > > not sure we need to standardize matching behavior unless it affects > the > > representation within the certificates (for example including > wildcards > > in the identities). > > > > Joe > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Rainer Gerhards > > > Sent: Wednesday, May 28, 2008 8:41 AM > > > To: [email protected] > > > Subject: [Syslog] -transport-tls references to "matching rules" > > > > > > Hi, > > > > > > -transport-tls refers (as [3] to RFC 5280), e.g. "Matching > > > for certificate credentials is performed using the matching > > > rules specified by [3]." I am revisiting 5280 to find the > > > matching rules for ipAddress. However, this is a nearly 150 > > > page document and I admit I do not know its ins and outs. It > > > would be really helpful if a section is mentioned inside the > > > reference so that one can quickly look up the rules. > > > > > > And, a hopefully quick question, where do I find the rules > > > for ipAddress? I was unable to bring it up on a quick look. > > > > > > Thanks, > > > Rainer > > > _______________________________________________ > > > Syslog mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/syslog > > > > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
