nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: looking for terminology recommendations concerning non-rooted FQDNs

From: Jay Ashworth <jra () baylink com>
Date: Mon, 25 Feb 2013 13:18:05 -0500 (EST)
----- Original Message -----

From: "Brian Reichert" <reichert () numachi com>



On Mon, Feb 25, 2013 at 12:18:00PM -0500, Jay Ashworth wrote:

If I understood Brian correctly, his problem is that people/programs
are trying to retrieve things from, eg:

https://my.host.name./this/is/a/path

and the SSL library fails the certificate match if the cert doesn't contain
the absolute domain name as an altName -- because *the browser* (or
whatever) does not normalize before calling the library.


I'd argue that if you have an absolute domain name, then that _is_
the 'normalized' form of the domain name; it's an unambigious
representation of the domain name. (Here, I'm treating the string
as a serialized data structure.)


I disagree, and happily, I can tell you exactly why.


Choosing to remove the notion of "this is rooted", and then asking
any (all?) other layers to handle the introduced ambiguity sounds
like setting yourself up for the issues that RFC 1535 was drawing
attention to.


The interface we're talking about here is an application on a machine
asking the SSL library "does the certificate which I have retrieved and
handed to you for processing match this domain name?"

*Since that certificate has [possibly] come from a different machine*,
the context in which that evaluation must be done seems necessarily to
be "over the wire/remote", and -- if you accept my earlier premise --

*it[1] is inherently absolute, no matter what it contains*.

Since that context exists, you can then safely strip off the trailing
dot inside the library before making said comparison.

This is not the same circumstance as being presented with a shortname,
where the actual IP connection/SSL retrieval was done based on the 
resolver applying a search path: in this case there's no obvious
thing which the library could add, whereas it *is* obvious what you
should strip (and, I allege, why) in the absolute-name-provided case.

[1] The context of the evaluation, and by extension, the context of the
string you're handing the SSL library to do the match.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274
Previous By Date Next
Previous By Thread Next

Current thread: