Re: PKITS test case 4.13.38 vs RFC 3280

Subject: Re: PKITS test case 4.13.38 vs RFC 3280
From: Tim Polk <tim.polk@nist.gov>
Date: Wed, 21 Jan 2004 10:58:23 -0500
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
In-Reply-To: <4008DEB9.2070303@aol.com>

Nelson,

After reading your email, I must acknowledge the ambiguity in the text from 
3280!  However, that text was intended to indicate that adding an 
additional name component or components to the left hand side would meet 
the restriction.  Permitting additional text to the left of an existing 
name component could have unexpected consequences....

For example, a DNS permitted subtree of "card.com" would be satisfied by 
"mastercard.com".  This would clearly be a security problem!

My apologies for the ambiguity; I'll try to get that fixed in any update of 
3280!  I will also see if this can be added to the errata list for 
3280.  (I'm not entirely clear on those procedures.)

Thank you for pointing this out.  I do believe the test accurately 
represents the intentions of the PKIX WG, and the more narrow reading 
avoids a possible security hole.  I will pursue a more official correction 
ASAP.

Thanks,

Tim Polk

At 02:07 AM 1/17/2004 -0500, Nelson Bolyard wrote:

>PKITS test case 4.13.38 appears to me to contradict RFC 3280, in letter
>but perhaps not in spirit.
>
>The PKITS doc says, about this test case (section 4.13.38, pages 82-83):
>
>    In this test, the intermediate certificate includes a nameConstraints
>    extension that specifies a single permitted subtree. The end entity
>    certificate includes a subjectAltName extension with a dNSName that falls
>    outside that subtree. The permitted subtree is 
> “testcertificates.gov” and
>    the subjectAltName is “mytestcertificates.gov”.
>
>    Expected Result: The path should not validate successfully.
>
>But RFC 3280 says, concerning dNSName constraints (section 4.2.1.11, page 38)
>
>    DNS name restrictions are expressed as foo.bar.com.  Any DNS name
>    that can be constructed by simply adding to the left hand side of the
>    name satisfies the name constraint.  For example, www.foo.bar.com
>    would satisfy the constraint but foo1.bar.com would not.
>
>Clearly, mytestcertificates.gov is a name that can be constructed by simply
>adding "my" to the left hand side of the name "testcertificates.gov".
>The example shows the addition of a string ending in dot, but the text
>does not clearly require it.
>
>Is there any IETF Internet Draft or RFC errata that ammends the above
>quoted paragraph from RFC 3280 in this regard?  Perhaps to say something
>like "... adding a string ending in a period to the left hand side ..."?
>
>The addition of a requirement of a period seems sensible, but I'm
>inclined to follow the letter of the law, so to speak, with RFC 3280,
>barring some official ammendment.
>
>Comments?
>
>Nelson
>
>--
>12345678901234567890123456789012345678901234567890123456789012345678901234567890

Follow-Ups:
- Re: PKITS test case 4.13.38 vs RFC 3280
  - From: "Nelson Bolyard" <misterssl@aol.com>

References:
- PKITS test case 4.13.38 vs RFC 3280
  - From: "Nelson Bolyard" <misterssl@aol.com>

Prev by Date: PKITS test case 4.13.38 vs RFC 3280
Next by Date: Re: PKITS test case 4.13.38 vs RFC 3280
Prev by thread: PKITS test case 4.13.38 vs RFC 3280
Next by thread: Re: PKITS test case 4.13.38 vs RFC 3280

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov