looking for terminology recommendations concerning non-rooted FQDNs

• Previous message (by thread): looking for terminology recommendations concerning non-rooted FQDNs
• Next message (by thread): looking for terminology recommendations concerning non-rooted FQDNs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
> From: "Brian Reichert" <reichert at numachi.com>

> On Mon, Feb 25, 2013 at 12:18:00PM -0500, Jay Ashworth wrote:
> > If I understood Brian correctly, his problem is that people/programs
> > are trying to retrieve things from, eg:
> >
> > https://my.host.name./this/is/a/path
> >
> > and the SSL library fails the certificate match if the cert doesn't contain
> > the absolute domain name as an altName -- because *the browser* (or
> > whatever) does not normalize before calling the library.
> 
> I'd argue that if you have an absolute domain name, then that _is_
> the 'normalized' form of the domain name; it's an unambigious
> representation of the domain name. (Here, I'm treating the string
> as a serialized data structure.)

I disagree, and happily, I can tell you exactly why.

> Choosing to remove the notion of "this is rooted", and then asking
> any (all?) other layers to handle the introduced ambiguity sounds
> like setting yourself up for the issues that RFC 1535 was drawing
> attention to.

The interface we're talking about here is an application on a machine
asking the SSL library "does the certificate which I have retrieved and
handed to you for processing match this domain name?"

*Since that certificate has [possibly] come from a different machine*,
the context in which that evaluation must be done seems necessarily to
be "over the wire/remote", and -- if you accept my earlier premise --

*it[1] is inherently absolute, no matter what it contains*.

Since that context exists, you can then safely strip off the trailing
dot inside the library before making said comparison.

This is not the same circumstance as being presented with a shortname,
where the actual IP connection/SSL retrieval was done based on the 
resolver applying a search path: in this case there's no obvious
thing which the library could add, whereas it *is* obvious what you
should strip (and, I allege, why) in the absolute-name-provided case.

[1] The context of the evaluation, and by extension, the context of the
string you're handing the SSL library to do the match.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274

• Previous message (by thread): looking for terminology recommendations concerning non-rooted FQDNs
• Next message (by thread): looking for terminology recommendations concerning non-rooted FQDNs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]