Re: RFC 3280bis and URI schemes without hostname

["David A. Cooper" <david.cooper@xxxxxxxx>]

All,

During the PKIX meeting yesterday, there did not seem to be any 
objection to allowing subjectAltName extensions to include URIs, in the 
uniformResourceIdentifier field, that do not include fully qualified 
domain names.  I would propose the following text for section 4.2.1.6, 
which is a slight modification to Stephen's proposal:

  When the subjectAltName extension contains a URI, the name MUST be
  stored in the uniformResourceIdentifier (an IA5String).  The name
  MUST NOT be a relative URI, and it MUST follow the URI syntax and
  encoding rules specified in [RFC 3986].  The name MUST include both a
  scheme (e.g., "http" or "ftp") and a scheme-specific-part.  URIs that
  include an authority ([RFC 3986], section 3.2) MUST include a fully
  qualified domain name or IP address as the host.  Rules for encoding
  internationalized resource identifiers (IRIs) are specified in 
section 7.4.

  As specified in [RFC 3986], the scheme name is not case-sensitive
  (e.g., "http" is equivalent to "HTTP").  The host part, if present, is
  also not case-sensitive, but other components of the scheme-specific-part
  may be case-sensitive.  Rules for comparing URIs are specified in 
section 7.4.


If this change is adopted, then as I read RFC 3986, we need to consider 
three types of URIs that may appear in the uniformResourceIdentifier field:

1) URIs that include an authority component in which the host is 
specified as a fully qualified domain name.

2) URIs that include an authority component in which the host is 
specified as an IP address.

3) URIs that do not include an authority component.

At the moment, the name constraints section of 3280bis only addresses 
the first case.  While I don't like the idea of applying different 
matching rules depending on whether the constraint is specified as an 
excludedSubtree or as a permittedSubtree, that seems to be the best 
option in this case.  The question then becomes, if name constraints 
extension specifies a constraint on URIs, how should URIs in the 
subjectAltName extension of type 2) or 3) be treated?  Should such names 
be ignored or should the presence of such names cause the certification 
path to be rejected.

I am inclined to think that URIs that do not include an authority should 
be ignored.  That is, they should be treated just as if they had been 
included in a different name form for which name constraints have not 
been defined.

For URIs that include an authority with the host specified as an IP 
address, I think 3280bis should that that they should be ignored, unless 
3280bis specifies how to apply IP address based constraints on URIs.


What do others think?  What should the name constraints section of 
3280bis state about the treatment of URIs that do not include an 
authority or that use an IP address for the host?  I'd be particularly 
interested in knowing how current implementations process name 
constraints on URIs when the host in the subject name is specified using 
an IP address.

Dave