Re: [dane] "Name Checks are not appropriate for CU=3"

[Viktor Dukhovni]

On Tue, Jan 14, 2014 at 10:57:50AM -0500, Stephen Nightingale wrote:

> Per the BCP, section 3.3 on Certificate Name Check conventions, the
> Note says that "except with certificate usage 3, where name checks
> are not applicable (see section 4.1) ....."
> 
> Section 4.1 is presently empty.  Is there a notion of populating the
> Type Specific DANE Guidelines in section 4?

Yes, I added the new text last week.  Wes should be reviewing it today,
so your timing is perfect.

You can grab a copy at:

        https://github.com/vdukhovni/ietf.git

> From all the above I take it to mean that if the Subject Alt Name in
> the TLS Server served certificate  differs from the domain name in
> the TLSA record (for example it offers an email address instead of a
> DNS label or wildcard), it doesn't matter because we don't check it.

Yes, and in fact there need not be any subjectAltNames, the subject
DN may be an empty sequence, and the certificate may be either
already expired, not yet valid, or both.  With usage 3 the TLSA
record binds the service end-point directly to a public key, the
certificate itself is just a public-key container.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: 
        Validity
            Not Before: Jan 14 16:25:19 2014 GMT
            Not After : Jan 13 16:25:19 2014 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:ae:38:28:5a:22:68:0b:40:6d:51:c3:14:17:4d:
                    99:51:50:21:88:0f:01:c2:a3:0d:f2:02:28:07:a4:
                    93:07:22:fd:e9:82:88:f9:6e:da:4c:43:3f:3e:24:
                    4b:9d:aa:fe:8e:6a:f7:af:48:e1:7b:e5:25:77:05:
                    ec:37:d9:54:8a
                ASN1 OID: prime256v1
    Signature Algorithm: ecdsa-with-SHA256
        30:45:02:20:3b:cf:71:f5:21:ce:69:2f:82:49:37:ee:ee:7b:
        4d:f9:6a:36:a9:f6:f4:9c:29:43:f8:51:b0:b2:dc:63:9a:c8:
        02:21:00:e2:2f:d2:61:ef:3b:56:c0:4a:a4:3e:e0:67:17:9c:
        7c:3b:41:b1:7e:f0:23:22:7d:55:80:aa:4d:85:a1:0f:05
-----BEGIN CERTIFICATE-----
MIHsMIGToAMCAQICAQEwCgYIKoZIzj0EAwIwADAeFw0xNDAxMTQxNjI1MTlaFw0x
NDAxMTMxNjI1MTlaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuOChaImgL
QG1RwxQXTZlRUCGIDwHCow3yAigHpJMHIv3pgoj5btpMQz8+JEudqv6OavevSOF7
5SV3Bew32VSKMAoGCCqGSM49BAMCA0gAMEUCIDvPcfUhzmkvgkk37u57TflqNqn2
9JwpQ/hRsLLcY5rIAiEA4i/SYe87VsBKpD7gZxecfDtBsX7wIyJ9VYCqTYWhDwU=
-----END CERTIFICATE-----

-- 
        Viktor.
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane