[Add] Potential erratum in RFC 8484

Martin Thomson <mt@lowentropy.net> Wed, 13 October 2021 05:28 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 264AD3A12D2 for <add@ietfa.amsl.com>; Tue, 12 Oct 2021 22:28:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=TxgRJOJV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=io+8dukU
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ueg4GYZGawL for <add@ietfa.amsl.com>; Tue, 12 Oct 2021 22:28:29 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 115C23A12D1 for <add@ietf.org>; Tue, 12 Oct 2021 22:28:28 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 521605C00BE; Wed, 13 Oct 2021 01:28:28 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute5.internal (MEProxy); Wed, 13 Oct 2021 01:28:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm3; bh=gIjThgHJYfqHH8faFnnnxFBY8cOK9IRnoXvXF6hgZx4=; b=TxgRJOJV R3/MbNpX9Vz/7U4u4TkTax/fdx+ArdKfcpuz+KnKSK3CBcXQro1Jdt++L5W2WbKl 2a9w77brs5B2pdno34eMiKuYa01LO/4GDRcbk33Rb3QDV9DzB5CD/uPG+OK1Y+sG d4oFdsxHvH/Vw240SXFbs2vO+PIYdLJjGz8KVEyv8tyyaelcUMkFz81+CKSBrwxj agZemoNhXuzavypKe3tIq+qS3X2t41Ee3H2Cr4Pq0FZCaQdmk+KJ/9XAqriRxWWV ikEVbTAblKJr2hB1L5/LTMKfwHNLD5e5YJ59Zoiww5g0yFNRPbjz2tVLE+9pHSuV ka/h2+2vRTxJFQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=gIjThgHJYfqHH8faFnnnxFBY8cOK9 IRnoXvXF6hgZx4=; b=io+8dukUyV6kny8xFJz0LrsIMrJRUjkqvIMj7onC9Nw/I C+aFILdFjfZHvfammIWso8kIhh++dHEphadI7SlL6vupd6STW7KpCEnk7bwkikKm R2PO4Mir33DdO5SNUK6of+J213huTXNgabt+bmvDZVb+ttUhVGeVZJSkX7ghbqqP AubRYWruJEaZNdzOZDPZS8ofOATKxzsYzfeKUPHkv7dP2+qGEgu757MvQP9/pw4P 5i7JxVWU5Q6hkBx0JP22+/SXafZvWOp1biPuNxYFiYUT1V9LWeTjsnfWUvEwZQVv 3tc61HvrIZlLw/rXTLf1rqVIN4p8Dse3V9bvKkn0A==
X-ME-Sender: <xms:fG5mYWy_Vgl-hOtI8vHZ8pRQ6b53FPoqoEwDicqCewqdFaGgtfbItA> <xme:fG5mYSSlcFGN-njafpxzv26rCn2DtuhA1TfRFHClwdFGDKUJfAOxfahZVWjNIKsL9 Iq7FVdQ3F1Nmh5WPBs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddtledgledvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsehttdertd erredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigv nhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeevgfdutdfgjeefudeuheekhe ekudeugeehfeegveekkeegleevveffueduffehheenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:fG5mYYUA5U2X1MhHuB-tg5OKza4XW1g53OynPtxk9tMuQDlYlVOhCA> <xmx:fG5mYcgieP6CzP7tt-qns0lUCLM4ielrsIO2LdAAAdIA37Us4GbLaQ> <xmx:fG5mYYBDCgUgnEPBCg2fgX0POU8NR2M3d7mWIOZu0vR85joj-n5dnQ> <xmx:fG5mYX_YDiA8OZRsvEw2KJ36I7ul8Zm5wTUx5BFNhA8d1LQqV49aaA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 1D1663C0246; Wed, 13 Oct 2021 01:28:28 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1345-g8441cd7852-fm-20211006.001-g8441cd78
Mime-Version: 1.0
Message-Id: <9316f233-6be2-4cf2-a7df-e4b1502b11c6@www.fastmail.com>
Date: Wed, 13 Oct 2021 16:28:07 +1100
From: "Martin Thomson" <mt@lowentropy.net>
To: add@ietf.org, draft-ietf-doh-dns-over-https@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/DNAS6zgwifK8QA5-oTvVRoM3BtY>
Subject: [Add] Potential erratum in RFC 8484
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 05:28:34 -0000

In Section 10, the following text is wrong:

> The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers or Authority Information Access (AIA) for Certificate Revocation List (CRL) fetching (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen.  

The OCSP part is fine, but the AIA piece is whacky.

For context, there are three different ways (to my knowledge) that a client might make outbound connections in order to validate or build a certification path.

1. CRL - this is a simple fetch of CRLs from the designated location.  This rarely happens any more as it is grossly inefficient, but it could happen in theory.  

2. OCSP - this is an OCSP query for the status of a certificate.

3.  AIA chasing - this is where the TLS handshake doesn't include the full set of certificates required to validate the end-entity certificate, but the certificate includes a URL for that certificate.

AIA itself is a multi-purpose field.  It can include multiple elements, one of which is the identity of an OCSP responder (the same one used in (2) above) and the other being the one used in (3).  It does not include CRL distribution points, as the text implies.

Corrected text might read like:

> The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers, Certificate Revocation List (CRL) distribution points (see Section 4.2.1.13 of [RFC5280]), or Authority Information Access (AIA) to retrieve issuer certificates (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen.

Or the version without CRLs:

> The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers or Authority Information Access (AIA) to retrieve issuer certificates (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen.

It's a little embarrassing to note this error given how active I was in drafting the original text.  In my defense, I found a version of this error in the -05 draft, so it evaded notice for quite some time.