On 17/12/14 18:16, Stephen Kent wrote:
Rob,
#54: Simplify name redaction
The name redaction mechanism, as currently defined, does not reveal how
many labels have been redacted. This seems unnecessary. If we're
happy
to reveal the number of redacted labels, then we could simplify the
name
redaction mechanism by...
- scrapping the "redactedLabels" Certificate extension
(1.3.6.1.4.1.11129.2.4.6).
I think that indicating how many names have been redacted is a good
simplification.
Thanks Stephen.
- stating that the literal string "(PRIVATE)" always covers precisely
_one_ label.
Since DNS names are case insensitive, I suggest we not represent a reserved
label in uppercase. It may cause some readers to believe that the label is
special because of its case.
The private label _is_ "special" though. :-)
It's intended to be a placeholder for a real label.
So for example, if you wanted to redact 3 components, you'd put
"SAN:dNSName=(PRIVATE).(PRIVATE).(PRIVATE).mydomain.com" in the
Precertificate.
To reduce bloat, I think we should also change "(PRIVATE)" to "?".
e.g. "SAN:dNSName=?.?.?.mydomain.com"
Is "?" a legal DNS label character? It doesn't seem so as per RFC 1034,
and RFC 5280 cites 1034 as the normative spec for dNSName syntax in
the subjectAltName extension.
I agree that "?" is not a valid DNS label character according to RFC
1034, but that's actually a useful characteristic here. If it was a
valid DNS label character, then it could be mistakenly interpreted as a
real label rather than as just a placeholder!
"*" isn't a valid DNS label character either, and yet it is commonly
used in SAN->dNSName fields as a placeholder.
You're referring to this part of RFC5280 Section 4.2.1.6:
"When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123]."
If one or more labels is a placeholder rather than a real label, then
IMHO the string is _not_ a "domain name system label". And therefore,
the two MUST requirements quoted above don't apply.
Also, AFAICT RFC5280 doesn't prohibit putting strings that are _not_
"domain name system labels" into SAN->dNSName fields.
Towards the end of Section 4.2.1.6 it says:
"Finally, the semantics of subject alternative names that include
wildcard characters (e.g., as a placeholder for a set of names) are
not addressed by this specification. Applications with specific
requirements MAY use such names, but they must define the semantics."
So, as long as we "define the semantics" for our use of "?", I don't
think we're doing anything wrong.
Do you agree?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
