To:
ietf-provreg@cafax.se
From:
Klaus Malorny <Klaus.Malorny@knipp.de>
Date:
Thu, 07 Dec 2006 18:31:27 +0100
In-Reply-To:
<046F43A8D79C794FA4733814869CDF07019A72E0@dul1wnexmb01.vcorp.ad.vrsn.com>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Thunderbird 3.0a1 (Windows/20061206)
Subject:
Re: [ietf-provreg] Re: Certificate Validation and Subject Analysis
Hollenbeck, Scott wrote:
>> -----Original Message-----
>> From: Frank Thompson [mailto:fot@ca.afilias.info]
>> Sent: Thursday, December 07, 2006 10:37 AM
>> To: Francisco Obispo
>> Cc: Alexander Mayrhofer; ietf-provreg@cafax.se; Hollenbeck, Scott
>> Subject: Re: [ietf-provreg] Re: Certificate Validation and
>> Subject Analysis
>>
>>
>> Hello,
>>
>> Afilias does not employ CN idenity ACL checking either for the same
>> reasons as NIC.VE, but use other hardware/software solutions
>> for client
>> idenity and IP ACL validation.
>>
>> Therefore we also believe that this does not belong in the
>> EPP protocol.
>
> Well, you guys will need to take that up with the IESG after reviewing
> RFC 3280. In the mean time, what do you do if the certificate presented
> from a client has valid certification path signatures, but the names
> have nothing to do with that client?
>
> -Scott-
>
Hi Scott,
for the puntCAT registry, we do not test the subject neither. We adopted the
behavior of the other registries for the convenience of the registrars. This may
change in the future, however.
IMHO the simple comparison of the common name against the reverse mapped domain
name, which is typically done by agents like web browsers, is pretty useless
unless the name is somehow displayed to a human being thereafter, which is quite
unlikely for a registry. What does it nowadays take to register a domain, setup
a system, associate it with the domain name (forward and reverse mapping) and
apply for an SSL certificate? I saw advertisements claiming that it would take
only 10 minutes to get a certificate. What kind of validation can I expect to be
done? Almost none.
It starts to make sense if
- not simply the CN is compared, but the full subject DN is compared to
a _fixed_ DN that has been specified by the registrar via other means
(e.g. snail mail, phone)
- only those root certificates are accepted where the level of validation
is known and is above a minimum level defined by the registry. One
solution is that the registry itself operates as a CA and issues the
certificates to the registrars.
However, a fraction of the registrars would be simply overstrained by such
measures. For a different system (not related to the puntCAT registry), we
implemented an optional authentication based on client certificates and subject
DN comparison as described, and we discovered that the adoption rate was much
less than expected.
By the way, when I saw your question the first time, I tried to identify the
standard that defines the comparison of the common name with the domain name,
esp. the handling of those wildcard names, but without luck (including RFC
3280). If you know it by chance, I'd be happy if you could point me to it.
Maybe it would make sense to reference this standard in the RFC3734bis if this
is what you and the IESG think that needs to be done.
Regards,
Klaus Malorny
___________________________________________________________________________
| |
| knipp | Knipp Medien und Kommunikation GmbH
------- Technologiepark
Martin-Schmeißer-Weg 9
Dipl. Inf. Klaus Malorny 44227 Dortmund
Klaus.Malorny@knipp.de Tel. +49 231 9703 0