[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 3280bis and URI schemes without hostname

To: pkix <ietf-pkix@xxxxxxx>
Subject: Re: RFC 3280bis and URI schemes without hostname
From: "David A. Cooper" <david.cooper@xxxxxxxx>
Date: Wed, 12 Dec 2007 15:36:57 -0500
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <tslwss04z9g.fsf@xxxxxxx> <474FF00E.3080305@xxxxxxxxx> <47509061.40402@xxxxxxxx> <47517A07.2030205@xxxxxxxxx> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (X11/20070914)

At 1:44 PM 12/04/2007, Stephen Kent wrote:

There has been discussion on the list of how to revise 3280bis toaddress the issue raised by Sam during IETF last call.
I am initiating a 2-week PKIX WG last call on the proposed text, sothat David Cooper can submit this as a WG-approved response to Sam'slast call comment if the WG concurs.


All,

Some of the 3280bis editors met last week to discuss this issue. Thetext below represents the editors' proposed changes to 3280bis toaddress the URI issue. For convenience, I have included the proposedchanges in both plain text and as an HTML diff file (attached).


Dave

---------------------------------------

section 4.2.1.6 (Subject Alternative Name), paragraphs 7 and 8:

OLD:
When the subjectAltName extension contains a URI, the name MUST be
stored in the uniformResourceIdentifier (an IA5String). The name
MUST NOT be a relative URL, and it MUST follow the URL syntax and
encoding rules specified in [RFC 3986]. The name MUST include both a
scheme (e.g., "http" or "ftp") and a scheme-specific-part. The
scheme-specific-part MUST include a fully qualified domain name or IP
address as the host. Rules for encoding internationalized resource
identifiers (IRIs) are specified in section 7.4.

As specified in [RFC 3986], the scheme name is not case-sensitive
(e.g., "http" is equivalent to "HTTP"). The host part is also not
case-sensitive, but other components of the scheme-specific-part may
be case-sensitive. Rules for comparing URIs are specified in section
7.4.

NEW:
When the subjectAltName extension contains a URI, the name MUST be
stored in the uniformResourceIdentifier (an IA5String). The name
MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in [RFC 3986]. The name MUST include both a
scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that
include an authority ([RFC 3986], section 3.2) MUST include a fully
qualified domain name or IP address as the host. Rules for encoding
internationalized resource identifiers (IRIs) are specified in
section 7.4.

As specified in [RFC 3986], the scheme name is not case-sensitive
(e.g., "http" is equivalent to "HTTP"). The host part, if present,
is also not case-sensitive, but other components of the scheme-
specific-part may be case-sensitive. Rules for comparing URIs are
specified in section 7.4.

-------------

section 4.2.1.10 (Name Constraints), paragraph 6:

OLD:
For URIs, the constraint applies to the host part of the name. The
constraint MAY specify a host or a domain. Examples would be
"host.example.com" and ".example.com". When the the constraint
begins with a period, it MAY be expanded with one or more subdomains.
That is, the constraint ".example.com" is satisfied by both
host.example.com and my.host.example.com. However, the constraint
".example.com" is not satisfied by "example.com". When the
constraint does not begin with a period, it specifies a host.

NEW:
For URIs, the constraint applies to the host part of the name. The
constraint MUST be specified as a fully qualified domain name and MAY
specify a host or a domain. Examples would be "host.example.com" and
".example.com". When the the constraint begins with a period, it MAY
be expanded with one or more subdomains. That is, the constraint
".example.com" is satisfied by both host.example.com and
my.host.example.com. However, the constraint ".example.com" is not
satisfied by "example.com". When the constraint does not begin with
a period, it specifies a host. If a constraint is applied to the
uniformResourceIdentifier name form and a subsequent certificate
includes a subjectAltName extension with a uniformResourceIdentifier
that does not include an authority component with a host name
specified as a fully qualified domain name (e.g., if the URI either
does not include an authority component or includes an authority
component in which the host name is specified as an IP address), then
the application MUST reject the certificate.

-------------

10 (Security Considerations), add the following paragraph:

In general, using the nameConstraints extension to constrain one name
form (e.g. DNS names) offers no protection against use of other name
forms (e.g. electronic mail addresses).

-------------

Appendix B (ASN.1 Notes), add the following paragraph:

The content specific rules for encoding GeneralName field values in
the nameConstraints extension differ from rules that apply in other
extensions. In all other certificate, CRL, and CRL entry extensions
specified in this document the encoding rules conform to the rules
for the underlying type. For example, values in the
uniformResourceIdentifier field must contain a valid URI as specified
in [RFC 3986]. The content specific rules for encoding values in the
nameConstraints extension are specified in section 4.2.1.10, and
these rules may not conform to the rules for the underlying type.
For example, when the uniformResourceIdentifier field appears in a
nameConstraints extension, it must hold a DNS name (e.g.,
"host.example.com" or ".example.com") rather than a URI.

Title: Proposed modifications to address URIs without authority


4.2.1.6  Subject Alternative Name (paragraphs 7 and 8)

   When the subjectAltName extension contains a URI, the name MUST be
   stored in the uniformResourceIdentifier (an IA5String).  The name
   MUST NOT be a relative URL URI, and it MUST follow the URL URI syntax and
   encoding rules specified in [RFC 3986].  The name MUST include both a
   scheme (e.g., "http" or "ftp") and a scheme-specific-part.  The
   scheme-specific-part URIs that include an authority ([RFC 3986], section 3.2)
   MUST include a fully qualified domain name or IP address as the host.
   Rules for encoding internationalized resource identifiers (IRIs) are
   specified in section 7.4.

   As specified in [RFC 3986], the scheme name is not case-sensitive
   (e.g., "http" is equivalent to "HTTP").  The host part, if present,
   is also not case-sensitive, but other components of the scheme-
   specific-part may be case-sensitive.  Rules for comparing URIs are
   specified in section 7.4.

4.2.1.10  Name Constraints (paragraph 6)

   For URIs, the constraint applies to the host part of the name.  The
   constraint MUST be specified as a fully qualified domain name and MAY
   specify a host or a domain.  Examples would be "host.example.com" and
   ".example.com".  When the the constraint begins with a period, it MAY
   be expanded with one or more subdomains.  That is, the constraint
   ".example.com" is satisfied by both host.example.com and
   my.host.example.com.  However, the constraint ".example.com" is not
   satisfied by "example.com".  When the constraint does not begin with
   a period, it specifies a host.  If a constraint is applied to the
   uniformResourceIdentifier name form and a subsequent certificate
   includes a subjectAltName extension with a uniformResourceIdentifier
   that does not include an authority component with a host name
   specified as a fully qualified domain name (e.g., if the URI either
   does not include an authority component or includes an authority
   component in which the host name is specified as an IP address), then
   the application MUST reject the certificate.

10  Security Considerations (add the following paragraph)

   In general, using the nameConstraints extension to constrain one name
   form (e.g. DNS names) offers no protection against use of other name
   forms (e.g. electronic mail addresses).

Appendix B.  ASN.1 Notes (add the following paragraph)

   The content specific rules for encoding GeneralName field values in
   the nameConstraints extension differ from rules that apply in other
   extensions.  In all other certificate, CRL, and CRL entry extensions
   specified in this document the encoding rules conform to the rules
   for the underlying type.  For example, values in the
   uniformResourceIdentifier field must contain a valid URI as specified
   in [RFC 3986].  The content specific rules for encoding values in the
   nameConstraints extension are specified in section 4.2.1.10, and
   these rules may not conform to the rules for the underlying type.
   For example, when the uniformResourceIdentifier field appears in a
   nameConstraints extension, it must hold a DNS name (e.g.,
   "host.example.com" or ".example.com") rather than a URI.

Follow-Ups:
- Re: RFC 3280bis and URI schemes without hostname
  - From: David A. Cooper

References:
- RFC 3280bis and URI schemes without hostname
  - From: Sam Hartman
- Re: RFC 3280bis and URI schemes without hostname
  - From: Stephen Farrell
- Re: RFC 3280bis and URI schemes without hostname
  - From: David A. Cooper
- Re: RFC 3280bis and URI schemes without hostname
  - From: Stephen Farrell
- Re: RFC 3280bis and URI schemes without hostname
  - From: Stephen Kent

Prev by Date: RE: TAM is a deal done? Was: TAM as a new WG item?
Next by Date: Re: another possible work item (PRQP)
Previous by thread: Re: RFC 3280bis and URI schemes without hostname
Next by thread: Re: RFC 3280bis and URI schemes without hostname
Index(es):
- Date
- Thread