looking for terminology recommendations concerning non-rooted FQDNs
Jay Ashworth
jra at baylink.com
Mon Feb 25 18:18:05 UTC 2013
----- Original Message -----
> From: "Brian Reichert" <reichert at numachi.com>
> On Mon, Feb 25, 2013 at 12:18:00PM -0500, Jay Ashworth wrote:
> > If I understood Brian correctly, his problem is that people/programs
> > are trying to retrieve things from, eg:
> >
> > https://my.host.name./this/is/a/path
> >
> > and the SSL library fails the certificate match if the cert doesn't contain
> > the absolute domain name as an altName -- because *the browser* (or
> > whatever) does not normalize before calling the library.
>
> I'd argue that if you have an absolute domain name, then that _is_
> the 'normalized' form of the domain name; it's an unambigious
> representation of the domain name. (Here, I'm treating the string
> as a serialized data structure.)
I disagree, and happily, I can tell you exactly why.
> Choosing to remove the notion of "this is rooted", and then asking
> any (all?) other layers to handle the introduced ambiguity sounds
> like setting yourself up for the issues that RFC 1535 was drawing
> attention to.
The interface we're talking about here is an application on a machine
asking the SSL library "does the certificate which I have retrieved and
handed to you for processing match this domain name?"
*Since that certificate has [possibly] come from a different machine*,
the context in which that evaluation must be done seems necessarily to
be "over the wire/remote", and -- if you accept my earlier premise --
*it[1] is inherently absolute, no matter what it contains*.
Since that context exists, you can then safely strip off the trailing
dot inside the library before making said comparison.
This is not the same circumstance as being presented with a shortname,
where the actual IP connection/SSL retrieval was done based on the
resolver applying a search path: in this case there's no obvious
thing which the library could add, whereas it *is* obvious what you
should strip (and, I allege, why) in the absolute-name-provided case.
[1] The context of the evaluation, and by extension, the context of the
string you're handing the SSL library to do the match.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
More information about the NANOG
mailing list