Opened 8 years ago

Closed 6 years ago

#17 closed defect (fixed)

Add advice on CNs

Reported by: benl@… Owned by: rob.stradling@…
Priority: major Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc:

Description

Some CAs would like to include CNs even though they are deprecated. If using name redaction, what should go in the CN? Add advice somewhere to suggest they use the base domain name (which will also have to be added as a SAN).

Change History (11)

comment:1 Changed 8 years ago by benl@…

It would be nice if someone (maybe Google) would test whether omitting CNs actually causes any problem.

comment:2 Changed 8 years ago by benl@…

In fact we think that removing CNs will break some tiny percentage of devices, and so we should allow a single CN, which, if present, uses the first entry in the redaction list.

comment:3 Changed 7 years ago by rob.stradling@…

The mailing list (also, see ticket #42) is currently discussing the dangers of the name redaction mechanism. I think that discussion needs to reach a firm conclusion on whether name redaction should ever be allowed before we can continue progress on this ticket. (If name redaction is never allowed, then this ticket is pointless and should be marked WONTFIX).

comment:4 follow-up: Changed 7 years ago by eranm@…

  • Resolution set to duplicate
  • Status changed from new to closed

Ticket #54 addresses this, marking as duplicate.

comment:5 in reply to: ↑ 4 Changed 7 years ago by rob.stradling@…

  • Resolution duplicate deleted
  • Status changed from closed to reopened

Replying to eranm@…:

Ticket #54 addresses this, marking as duplicate.

It turns out that the initial proposal in ticket #54 doesn't actually work. Reopening this ticket.

comment:6 Changed 7 years ago by rob.stradling@…

  • Owner changed from draft-ietf-trans-rfc6962-bis@… to rob.stradling@…
  • Status changed from reopened to new

comment:7 Changed 7 years ago by rob.stradling@…

  • Status changed from new to assigned

We'll use Ben's proposal from comment:2:
"...we should allow a single CN, which, if present, uses the first entry in the redaction list."

Let's require the Subject CN, if present, to match the first dNSName in the SAN extension, so that they can both use the first entry in the redaction list.

comment:8 Changed 7 years ago by rob.stradling@…

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:9 Changed 6 years ago by rob.stradling@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

It's problematic to require the Subject CN, if present, to match the first SAN dNSName. See this thread for discussion:
https://mailarchive.ietf.org/arch/msg/trans/q3mT1tSeKJkh2TDftElF8WBlLp8

Let's adopt Peter Bowen's suggestion to "...append one more element to
the sequence for CN redaction level. I think it should go at the end,
rather than the beginning, as it should be more likely to not have a
common name than not having a SAN."

comment:11 Changed 6 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.