[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth-16 TLS issues

To: Roger Harrison <RHARRISON@novell.com>
Subject: Re: authmeth-16 TLS issues
From: Howard Chu <hyc@highlandsun.com>
Date: Sat, 22 Oct 2005 12:00:05 -0700
Cc: Hallvard Furuseth <h.b.furuseth@usit.uio.no>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <43595489.DBA8.00BF.0@novell.com>
References: <hbf.20051020elu9@bombur.uio.no> <435751B5.DBA8.00BF.0@novell.com> <hbf.20051020ufcz@bombur.uio.no> <4357926E.DBA8.00BF.0@novell.com> <hbf.20051020ptp5@bombur.uio.no> <43580379.2010603@highlandsun.com> <hbf.20051020dgq@bombur.uio.no> <43595489.DBA8.00BF.0@novell.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051020 SeaMonkey/1.1a

Roger Harrison wrote:

I've reworked this paragraph on the CN/subjectName check based on several comments in this thread. Here's what I now have:

The server's identity may also be verified by comparing the reference identity to the Common Name value in the leaf RDN of the subjectName field of the server's certificate. Note that the TLS implementation may display DNs in certificates according to X.509 conventions. For example, some X.500 implementations order the RDNs in a DN using a left-to-right (most significant to least significant) convention instead of LDAP's rightâtoâleft convention. This comparison is performed using the rules for comparison of DNS names in section 3.1.3.1 below, with the exception that no wildcard matching is allowed. Although the use of the Common Name value is existing practice, it is deprecated and Certification Authorities are encouraged to provide subjectAltName values instead.

Comments and feedback are welcome.

I think the wording is good; the flow is a bit choppy. Perhaps the Note should be at the end of the paragraph, or a separate paragraph:

The server's identity may also be verified by comparing the reference identity to the Common Name value in the leaf RDN of the subjectName field of the server's certificate. This comparison is performed using the rules for comparison of DNS names in section 3.1.3.1 below, with the exception that no wildcard matching is allowed. Although the use of the Common Name value is existing practice, it is deprecated and Certification Authorities are encouraged to provide subjectAltName values instead. Note that the TLS implementation may display DNs in certificates according to X.509 conventions. For example, some X.500 implementations order the RDNs in a DN using a left-to-right (most significant to least significant) convention instead of LDAP's rightâtoâleft convention. Implementers should not blindly assume the left-most RDN is the leaf RDN.

Roger

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: authmeth-16 TLS issues
  - From: "Roger Harrison" <RHARRISON@novell.com>

References:
- authmeth-16 TLS issues
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-16 TLS issues
  - From: "Roger Harrison" <RHARRISON@novell.com>
- Re: authmeth-16 TLS issues
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-16 TLS issues
  - From: "Roger Harrison" <RHARRISON@novell.com>
- Re: authmeth-16 TLS issues
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-16 TLS issues
  - From: Howard Chu <hyc@highlandsun.com>
- Re: authmeth-16 TLS issues
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-16 TLS issues
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: nature of the error
Next by Date: Re: authmeth-16 TLS issues
Index(es):
- Chronological
- Thread