IETF Logo Mail Archive

Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Mon, 10 June 2019 16:22 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A8F712000F for <anima@ietfa.amsl.com>; Mon, 10 Jun 2019 09:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.911
X-Spam-Level:
X-Spam-Status: No, score=0.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiUyM0Dq6O7R for <anima@ietfa.amsl.com>; Mon, 10 Jun 2019 09:22:25 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608B0120128 for <anima@ietf.org>; Mon, 10 Jun 2019 09:22:25 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id x25so3950509ljh.2 for <anima@ietf.org>; Mon, 10 Jun 2019 09:22:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LFaGczcqM/5M7Tzl9RmN5/FWrMzMRTonoHTzBn5AjNg=; b=JdKEA6EdFbPZ+zMngQgXkUNjb/yUN6K4qqUcki9CHgX0FBlbpI+q7R7lZ5Dy1FsHlp dfhrHJuA83yV7OO+bqgPnobLDkAcppF/u1plxrDcWh5k7UZu0WDVLluLGxGgnxVTf0uq lLSAEQQW16ipFDmMRAdPt6vkKqKaOqC6sVYVzohNd9w/Gh3O/UTGkPcrU+qkFSeEsSmN Mif2UIGZqTsUIYh6GMXntu0dudnvTtWlrXp9Q4c06qOjUS66mlPi9yh+dFu/76MspR0e FGSrUXnDM1wGXyXQhlhBt5JuooKEQOmFNGmaH+zFKKE64ZQv23gYm7oE28FfB2RJyiLg bi7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LFaGczcqM/5M7Tzl9RmN5/FWrMzMRTonoHTzBn5AjNg=; b=k4M1qFAuVpvKhI2T3Q+8mtceNebXfDZPa8r1ju63K2bpMfQ8fUQtdtPT2inehC6GiG d8teNN/EDp+fbRyF5vJ3LmowwlMhkTH99WH3hmLX6WVN/CA3VzL2UKrK6teLn6E6v5mF LqjSij10/2iFpap2Hqu+EhMO1bZgBSVu2b9R7nFLmabSP21w9p2RawJ02IU6qG9Gx1VZ 72+nONe2Z3juxNZ5R0t9WJ/HbFdDUMLDr9xCEIj1KiWjsG8ZiMep3Odb0wWklwbCPP9K AEt3dgWbbK+XeoGapBVpOBpIc1C1shEEO76kCMnAJ3osM5mJE8UUHn6ybuNEItuxoEqc wCjw==
X-Gm-Message-State: APjAAAWbWLHqz0/IPAxP4aVe6EGrIRBMyq5eSsKXuK3DwKWYPNxstcZ0 V+bpApK+XhArHsjV+TMbWNWNLtUqH2a5b+BGvkvk1HK8pPIebA==
X-Google-Smtp-Source: APXvYqwjsQbvuKhDI0iZtrwXCUrOG0Zl2+hdCWHW0WuI9S7LAzf9xCrxoVJdXy33BY/fRDPlmIfoRM+wbnTCoLtpyEI=
X-Received: by 2002:a2e:9152:: with SMTP id q18mr18043300ljg.77.1560183743619; Mon, 10 Jun 2019 09:22:23 -0700 (PDT)
MIME-Version: 1.0
References: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com> <02DFBB01-F7BA-4BCA-B8C5-CF14E8B7A6F4@cisco.com> <20190604192843.gbavqofsq4btcgx3@faui48f.informatik.uni-erlangen.de> <045A7809-CB6F-493E-B9F2-FBF563AD5378@cisco.com> <20190607211720.y63ysayeqtkgi3lj@faui48f.informatik.uni-erlangen.de> <60BB0A11-A12B-4EA5-9379-12C75100D64C@cisco.com> <77dc7db3-e281-2475-6909-c9c5a982f973@gmail.com> <CABcZeBPcJN9eweSW8ayVAbyehjizycpLN2=dDe1txZEh8dm7QQ@mail.gmail.com> <6636.1560178188@localhost>
In-Reply-To: <6636.1560178188@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 10 Jun 2019 09:21:47 -0700
Message-ID: <CABcZeBOJrnhi1vhZ5dcfS3-3DH_duWKCora-+AjARx5MwfUi+g@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Anima WG <anima@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d2bde1058afa959a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/s4-OpAAbuoMET6mzOjyoDX1Dkxk>
Subject: Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 16:22:27 -0000

On Mon, Jun 10, 2019 at 7:49 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> {I've clipped the CC list}
>
> Eric Rescorla <ekr@rtfm.com> wrote:
>     >> On 09-Jun-19 01:37, Eliot Lear wrote:
>     >> >
>     >> >
>     >> >> On 7 Jun 2019, at 23:17, Toerless Eckert <tte@cs.fau.de> wrote:
>     >> >>
>     >> >> Ok, now i got you (i hope ;-).
>     >> >>
>     >> >> I really liked the c1sco example (not sure if we should mention
> a real
>     >> >> company name in such an rfc someone not reading the draft might
> take
>     >> >> offense, maybe examp1e.com insted though).
>     >> >
>     >> > This is a bit tricky with the glyph attack, but certainly the base
>     >> should be
>     >> > example.com.
>     >>
>     >> Can you use null.example.com and nu11.example.com?
>     >>
>
>     > That's a little unfortunate from the perspective of this attack
> because
>     > ..com is a public suffix [0] whereas example.com is not.
>
>     > -Ekr
>
>     > [0] https://publicsuffix.org/
>
> okay, I'm trying to understand the relevance of this from the point of an
> example in an RFC.
>
> We need to put the example under example.*, but we can't use examp1e.com,
> because it's not an example domain.
>
> Brian suggested the example null vs nu11.
> This is not about super-cookies, etc. and it doesn't suggest any kind of
> process involving the list of publicsuffixes.
>

The general shape of this kind of attack is that the attacker wants to
impersonate A and so gets a domain with name A' that looks like A. However,
this depends on A' being something the attacker can register. The public
suffix list embodies the concept (more or less) of "anyone can register
here". By contrast, a.example.com is (I assume) owned by example.com and so
your average attacker can't do anything with b.example.com.

-Ekr

v2.23.0 | Report a Bug | By Email