idnits 2.17.1 

draft-rsalz-use-san-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The abstract seems to contain references ([RFC5280], [RFC6125]), which
     it shouldn't.  Please replace those with straight textual mentions of the
     documents in question.

  -- The abstract seems to indicate that this document updates RFC6125, but
     the header doesn't have an 'Updates:' line to match this.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (4 February 2021) is 1169 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525)


     Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	TBD Working Group                                                R. Salz
3	Internet-Draft                                       Akamai Technologies
4	Intended status: Standards Track                         4 February 2021
5	Expires: 8 August 2021

7	                           Use the SAN field
8	                         draft-rsalz-use-san-00

10	Abstract

12	   In the decade since [RFC6125] was published, the subjectAltName
13	   extension, as defined in [RFC5280] has become ubiquitous.  This
14	   document updates [RFC6125] to specify that the fall-back techniques
15	   of using commonName attribute to identify the service MUST NOT be
16	   used.

18	Discussion Venues

20	   This note is to be removed before publishing as an RFC.

22	   Source for this draft and an issue tracker can be found at
23	   https://github.com/richsalz/draft-rsalz-use-san.

25	Status of This Memo

27	   This Internet-Draft is submitted in full conformance with the
28	   provisions of BCP 78 and BCP 79.

30	   Internet-Drafts are working documents of the Internet Engineering
31	   Task Force (IETF).  Note that other groups may also distribute
32	   working documents as Internet-Drafts.  The list of current Internet-
33	   Drafts is at https://datatracker.ietf.org/drafts/current/.

35	   Internet-Drafts are draft documents valid for a maximum of six months
36	   and may be updated, replaced, or obsoleted by other documents at any
37	   time.  It is inappropriate to use Internet-Drafts as reference
38	   material or to cite them other than as "work in progress."

40	   This Internet-Draft will expire on 8 August 2021.

42	Copyright Notice

44	   Copyright (c) 2021 IETF Trust and the persons identified as the
45	   document authors.  All rights reserved.

47	   This document is subject to BCP 78 and the IETF Trust's Legal
48	   Provisions Relating to IETF Documents (https://trustee.ietf.org/
49	   license-info) in effect on the date of publication of this document.
50	   Please review these documents carefully, as they describe your rights
51	   and restrictions with respect to this document.  Code Components
52	   extracted from this document must include Simplified BSD License text
53	   as described in Section 4.e of the Trust Legal Provisions and are
54	   provided without warranty as described in the Simplified BSD License.

56	Table of Contents

58	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
59	   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   2
60	   3.  The New Rules . . . . . . . . . . . . . . . . . . . . . . . .   3
61	     3.1.  Designing Application Protocols . . . . . . . . . . . . .   3
62	     3.2.  Representing Server Identity  . . . . . . . . . . . . . .   3
63	     3.3.  Verifying Service Identity  . . . . . . . . . . . . . . .   3
64	   4.  Constraints on Wildcards  . . . . . . . . . . . . . . . . . .   3
65	   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
66	   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
67	   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
68	   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   4
69	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

71	1.  Introduction

73	   In the decade since [RFC6125] was published, the subjectAltName
74	   extension, as defined in [RFC5280] has become ubiquitous.  This
75	   document updates [RFC6125] to specify that the fall-back techniques
76	   of using commonName attribute to identify the service MUST NOT be
77	   used.

79	2.  Conventions and Definitions

81	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
82	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
83	   "OPTIONAL" in this document are to be interpreted as described in BCP
84	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
85	   capitals, as shown here.

87	   The terminology from [RFC6125] is used here.  Specifically, the
88	   following terms and brief definition (as a reminder):

90	   *  CN-ID: the Common Name element from a Distingiushed Name.

92	   *  DNS-ID, SRV-ID, URI-ID: different types of entries in a
93	      subjectAltName extension.

95	3.  The New Rules

97	   The CN-ID MUST NOT be used.  The appropriate value in the
98	   subjectAltName extension MUST be used to get the presented identity
99	   of the server.

101	   While not discussed in [RFC6125], this section also implicitly
102	   prohibits the use of the Domain Component or emailAddress RDN's.

104	   The following sections repeat the above rule in other forms, for the
105	   purpose of updating [RFC6125].

107	3.1.  Designing Application Protocols

109	   Applications should determine which form of name they want to use,
110	   and specify the appropriate subjectAltName extension.  Unless there
111	   are reasons to do otherwise, applications SHOULD use the DNS-ID form.

113	3.2.  Representing Server Identity

115	   Severs either MUST NOT issue a CN-ID, or MUST use a form for the
116	   Common Name RDN that cannot be mistaken for an identifier.  Not using
117	   Common Name is preferred.

119	3.3.  Verifying Service Identity

121	   When constructing a list of reference identifiers, the client MUST
122	   NOT include any CN-ID present in the certificate.  This means that
123	   section 6.4.4 of [RFC6125] MUST be ignored.

125	4.  Constraints on Wildcards

127	   Wildcard certificates are discussed in section 7.2 of [RFC6125],
128	   which says that the specifications "are not clear or consistent"
129	   about where a wildcard can appear.

131	   This documents specifies that a wildcard can appear

133	   *  only as the left-most label; or

135	   *  as the last character in a left-most label

137	5.  Security Considerations

139	   The CN-ID, domainComponent, and emailAddress RDN fields are
140	   unstructured free text, and using them is dependant on ordering and
141	   encoding concerns.  In addition, their evaluation when PKIX
142	   nameConstraints are present is ambiguous.  This document removes
143	   those fields from use, so a source of possible errors is removed.

145	   Because of the ambiguity around wildcards, [RFC6125] mentions that it
146	   is possible to have exploitable differences in behavior.  By
147	   simplifying those practices to one rule, this source of errors should
148	   be avoided.

150	   All other security considerations of [RFC6125] and its dependant
151	   documents are still relevant.

153	6.  IANA Considerations

155	   This document has no IANA actions.

157	7.  Normative References

159	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
160	              Requirement Levels", BCP 14, RFC 2119,
161	              DOI 10.17487/RFC2119, March 1997,
162	              <https://www.rfc-editor.org/info/rfc2119>.

164	   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
165	              Housley, R., and W. Polk, "Internet X.509 Public Key
166	              Infrastructure Certificate and Certificate Revocation List
167	              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
168	              <https://www.rfc-editor.org/info/rfc5280>.

170	   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
171	              Verification of Domain-Based Application Service Identity
172	              within Internet Public Key Infrastructure Using X.509
173	              (PKIX) Certificates in the Context of Transport Layer
174	              Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
175	              2011, <https://www.rfc-editor.org/info/rfc6125>.

177	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
178	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
179	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

181	Acknowledgments

183	   TODO acknowledge.

185	Author's Address

187	   Rich Salz
188	   Akamai Technologies

190	   Email: rsalz@akamai.com