IETF Logo Mail Archive

Re: [keyassure] Using trust anchor language

"Steingruebl, Andy" <asteingruebl@paypal-inc.com> Thu, 27 January 2011 18:12 UTC

Return-Path: <asteingruebl@paypal-inc.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C67423A691B for <keyassure@core3.amsl.com>; Thu, 27 Jan 2011 10:12:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.301
X-Spam-Level:
X-Spam-Status: No, score=-8.301 tagged_above=-999 required=5 tests=[AWL=0.816, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-97+vKBywmL for <keyassure@core3.amsl.com>; Thu, 27 Jan 2011 10:12:36 -0800 (PST)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by core3.amsl.com (Postfix) with ESMTP id B0CD33A681F for <keyassure@ietf.org>; Thu, 27 Jan 2011 10:12:36 -0800 (PST)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Date:Subject:Thread-Topic:Thread-Index:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=QfnAXelGMs2/De0U5zltQxjUNOiozG2xr3nIWZvf9QlpHBX0VEr4nxpl Xu4H1PZAMrEJoWHOZLY4GTqKPiYqpAPjdU52uGvzO70QnsAt5Vt7952fH ibkESPpjfqf0luR;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=asteingruebl@paypal-inc.com; q=dns/txt; s=ppinc; t=1296152141; x=1327688141; h=from:to:cc:date:subject:message-id:references: in-reply-to:content-transfer-encoding:mime-version; z=From:=20"Steingruebl,=20Andy"=20<asteingruebl@paypal-inc .com>|To:=20Stephen=20Kent=20<kent@bbn.com>|CC:=20Paul=20 Wouters=20<paul@xelerance.com>,=20"keyassure@ietf.org"=0D =0A=09<keyassure@ietf.org>|Date:=20Thu,=2027=20Jan=202011 =2011:13:57=20-0700|Subject:=20RE:=20[keyassure]=20Using =20trust=20anchor=20language|Message-ID:=20<5EE049BA3C653 8409BBE6F1760F328ABEB1A2F1A36@DEN-MEXMS-001.corp.ebay.com >|References:=20<mailman.75.1295985619.11993.keyassure@ie tf.org>=0D=0A=20<4D404B76.7010702@gmail.com>=20<4D4052C8. 3060308@vpnc.org>=0D=0A=20<AANLkTiniYvX9to86y3ya0HcPpE7_M BkmYgTWUNC2kW5f@mail.gmail.com>=0D=0A=20<4D4182E6.1000908 @vpnc.org>=20<p06240802c967386692da@[192.1.255.194]>=0D =0A=20<alpine.LFD.1.10.1101271111460.19497@newtla.xeleran ce.com>=0D=0A=20<p0624080cc9675482299c@[192.1.255.194]> =0D=0A=20<5EE049BA3C6538409BBE6F1760F328ABEB1A2F19B2@DEN- MEXMS-001.corp.ebay.com>=0D=0A=20<p0624080ec9675ef30027@[ 192.1.255.194]>|In-Reply-To:=20<p0624080ec9675ef30027@[19 2.1.255.194]>|Content-Transfer-Encoding:=20quoted-printab le|MIME-Version:=201.0; bh=Z3QMXRe5d02r5eqNZCU/CipI2pzT2+TGyBXnJUtAI3I=; b=aapioOQ4NKOMYR0kx+tP/AILSye4oMhtBhr7D/fYcOlqUYacgeQLD7qq HL6uEQXvaTCscmAyMWaYsg5IIDtNjUjmJHbjtBG6rWiiuGfyosT2M7X23 Nx8Knxi0aSdu9Rh;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.60,387,1291622400"; d="scan'208";a="486270"
Received: from den-vtenf-002.corp.ebay.com (HELO DEN-MEXHT-002.corp.ebay.com) ([10.101.112.213]) by den-mipot-001.corp.ebay.com with ESMTP; 27 Jan 2011 10:15:40 -0800
Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.225]) by DEN-MEXHT-002.corp.ebay.com ([10.241.17.53]) with mapi; Thu, 27 Jan 2011 11:13:59 -0700
From: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
To: Stephen Kent <kent@bbn.com>
Date: Thu, 27 Jan 2011 11:13:57 -0700
Thread-Topic: [keyassure] Using trust anchor language
Thread-Index: Acu+SlVeuNGcV3B0TV6MjtWcY8V1ggAAve4w
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB1A2F1A36@DEN-MEXMS-001.corp.ebay.com>
References: <mailman.75.1295985619.11993.keyassure@ietf.org> <4D404B76.7010702@gmail.com> <4D4052C8.3060308@vpnc.org> <AANLkTiniYvX9to86y3ya0HcPpE7_MBkmYgTWUNC2kW5f@mail.gmail.com> <4D4182E6.1000908@vpnc.org> <p06240802c967386692da@[192.1.255.194]> <alpine.LFD.1.10.1101271111460.19497@newtla.xelerance.com> <p0624080cc9675482299c@[192.1.255.194]> <5EE049BA3C6538409BBE6F1760F328ABEB1A2F19B2@DEN-MEXMS-001.corp.ebay.com> <p0624080ec9675ef30027@[192.1.255.194]>
In-Reply-To: <p0624080ec9675ef30027@[192.1.255.194]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: ibY3gl8VZ3/BnPOXCTNJLw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Cc: "keyassure@ietf.org" <keyassure@ietf.org>
Subject: Re: [keyassure] Using trust anchor language
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 18:12:37 -0000

> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> 
> Sorry for being dense, but can you explain how the SNI extension and IP
> exhaustion relate to the issue of extracting a DNS name from a cert vs.
> inferring it from the DNS record?

Ordinarily, in order to host multiple TLS-endpoints (web virtual hosting) on a single-IP, you have two choices:

1. A cert with multiple SANs
2. use SNI so a client can indicate which end-endpoint (hostname) it is trying to reach.

#1 is extremely problematic when virtual-hosting services for different entities, or lots of entities.  For example, CDNs will often try to virtual a number of websites at the same IP, and will have a certificate with SANs that span a multitude of organizations/businesses.

#2 is problematic because SNI isn't supported in Windows-XP.

Currently, #1 or a single-IP per "website/hostname" is required.

With TLSA if we don't have to embed the hostname in the certificate offered during the TLS handshake, we don't care about SNI if a client supports TLSA.  Now, what client will support TLSA and not SNI, well, that's why this isn't really that big a deal I suppose..

- Andy

v2.23.0 | Report a Bug | By Email