Re: [certid] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

Wed, 08 Dec 2010 14:48:26 -0800 

> Possible text for the Security Considerations:
>
> ###
>
> 5.4.  Multiple Identifiers
>
>    This specification allows multiple DNS-IDs, SRV-IDs, or URI-IDs in a
>    certificate, but discourages multiple CN-IDs.  The inclusion in the
>    Common Name of multiple strings whose form matches that of a fully-
>    qualified DNS domain name (e.g., "www.example.com") makes it more
>    difficult to parse the Common Name and increases the likelihood of
>    false positives in the identity verification process.  Although it
>    would be preferable to forbid multiple CN-IDs entirely, there are
>    several reasons why this specification states that they SHOULD NOT
>    (instead of MUST NOT) be included:
>
>    o  At least one significant technology community of interest
>       explicitly allows multiple CN-IDs [EV-CERTS].
>
>    o  At least one significant certification authority is known to issue
>       certificates containing multiple CN-IDs.
>
>    o  Many service providers often deem inclusion of multiple CN-IDs
>       necessary in "virtual hosting" environments because at least one
>       widely-deployed operating system does not yet support the Server
>       Name Indication extension [TLS-EXT]
>
>    It is hoped that the recommendation in this specification can be
>    further tightened in the future.
>
> ###
>
> To be referenced from bullet #6 in Section 3.1:
>
>    6.  The certificate MAY contain more than one DNS-ID, SRV-ID, or
>        URI-ID (but SHOULD NOT contain more than one CN-ID, as further
>        explained under Section 5.4).


in general looks good to me, thanks.
However, I'd alter the first sentence to s/allows/accommodates/, and in 2nd sentence s/discourages/explicitly discourages/. 

I'd alter the last sentence of 1st para s/reasons/reasons at this time/.

And in terms of this..

                                                  The inclusion of
    multiple strings whose form matches that of a fully-qualified DNS
    domain name (e.g., "www.example.com") makes it more difficult to
    parse the Common Name and therefore increases the likelihood of false
    positives in the identity verification process.


..well, no, it doesn't make it more difficult to parse, and "it" is the
Subject, not "the CN". There's multiple CN= AVAs in the Subject, but parsing
them out is simple.  I guess I'd just delete that entire middle sentence "The
inclusion of...process."


=JeffH


_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid

Reply via email to