To:
ietf-provreg@cafax.se
From:
Klaus Malorny <Klaus.Malorny@knipp.de>
Date:
Thu, 07 Dec 2006 18:31:27 +0100
In-Reply-To:
<046F43A8D79C794FA4733814869CDF07019A72E0@dul1wnexmb01.vcorp.ad.vrsn.com>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Thunderbird 3.0a1 (Windows/20061206)
Subject:
Re: [ietf-provreg] Re: Certificate Validation and Subject Analysis
Hollenbeck, Scott wrote: >> -----Original Message----- >> From: Frank Thompson [mailto:fot@ca.afilias.info] >> Sent: Thursday, December 07, 2006 10:37 AM >> To: Francisco Obispo >> Cc: Alexander Mayrhofer; ietf-provreg@cafax.se; Hollenbeck, Scott >> Subject: Re: [ietf-provreg] Re: Certificate Validation and >> Subject Analysis >> >> >> Hello, >> >> Afilias does not employ CN idenity ACL checking either for the same >> reasons as NIC.VE, but use other hardware/software solutions >> for client >> idenity and IP ACL validation. >> >> Therefore we also believe that this does not belong in the >> EPP protocol. > > Well, you guys will need to take that up with the IESG after reviewing > RFC 3280. In the mean time, what do you do if the certificate presented > from a client has valid certification path signatures, but the names > have nothing to do with that client? > > -Scott- > Hi Scott, for the puntCAT registry, we do not test the subject neither. We adopted the behavior of the other registries for the convenience of the registrars. This may change in the future, however. IMHO the simple comparison of the common name against the reverse mapped domain name, which is typically done by agents like web browsers, is pretty useless unless the name is somehow displayed to a human being thereafter, which is quite unlikely for a registry. What does it nowadays take to register a domain, setup a system, associate it with the domain name (forward and reverse mapping) and apply for an SSL certificate? I saw advertisements claiming that it would take only 10 minutes to get a certificate. What kind of validation can I expect to be done? Almost none. It starts to make sense if - not simply the CN is compared, but the full subject DN is compared to a _fixed_ DN that has been specified by the registrar via other means (e.g. snail mail, phone) - only those root certificates are accepted where the level of validation is known and is above a minimum level defined by the registry. One solution is that the registry itself operates as a CA and issues the certificates to the registrars. However, a fraction of the registrars would be simply overstrained by such measures. For a different system (not related to the puntCAT registry), we implemented an optional authentication based on client certificates and subject DN comparison as described, and we discovered that the adoption rate was much less than expected. By the way, when I saw your question the first time, I tried to identify the standard that defines the comparison of the common name with the domain name, esp. the handling of those wildcard names, but without luck (including RFC 3280). If you know it by chance, I'd be happy if you could point me to it. Maybe it would make sense to reference this standard in the RFC3734bis if this is what you and the IESG think that needs to be done. Regards, Klaus Malorny ___________________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeißer-Weg 9 Dipl. Inf. Klaus Malorny 44227 Dortmund Klaus.Malorny@knipp.de Tel. +49 231 9703 0