IETF Logo Mail Archive

Re: Additional reviews of draft-daboo-srv-email-02.txt needed

Shumon Huque <shuque@isc.upenn.edu> Mon, 24 August 2009 19:02 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D0BC3A6E86 for <apps-discuss@core3.amsl.com>; Mon, 24 Aug 2009 12:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o+RraW86XY54 for <apps-discuss@core3.amsl.com>; Mon, 24 Aug 2009 12:02:50 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 48B3E3A6E88 for <apps-discuss@ietf.org>; Mon, 24 Aug 2009 12:02:50 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 6AA9F28D3; Mon, 24 Aug 2009 15:02:56 -0400 (EDT)
Date: Mon, 24 Aug 2009 15:02:56 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Subject: Re: Additional reviews of draft-daboo-srv-email-02.txt needed
Message-ID: <20090824190256.GA19213@isc.upenn.edu>
References: <4A8D28AA.4060906@isode.com> <4A8E30A8.9050307@tana.it> <4A8E99B2.1060002@isode.com> <20090824180434.GA16812@isc.upenn.edu> <4A92DCE3.5080300@alcatel-lucent.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4A92DCE3.5080300@alcatel-lucent.com>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: apps-discuss@ietf.org, Alessandro Vesely <vesely@tana.it>
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2009 19:02:51 -0000

On Mon, Aug 24, 2009 at 01:33:07PM -0500, Vijay K. Gurbani wrote:
> Shumon Huque wrote:
> >Quite true, although an important question is how the domain part
> >is advertised in the certificate. Most likely it will be put in
> >the the common name or the subjectaltname's DNSname field. But
> >in many cases that poses a security problem, if other services
> >unrelated to IMAP (or POP3 and submission) are also hosted at
> >the domain part. If we issue an "example.com" certificate to the
> >IMAP service, it could use that to impersonate any TLS service at
> >that domain unrelated to IMAP (eg. jabber, https, etc).
> 
> That is quite true (though I am not sure whether it is
> "impersonation", per se; after all, it is a signed and issued
> certificate.)

Well, it may have been signed and issued correctly. But since the 
embedded identity wasn't specified with sufficient granularity, it 
could be used for purposes other than intended. And this leads to
the impersonation threat.

In a large enough organization, different services at the same
domain name may be operated by different folks, on different
systems, with different security requirements. You normally
don't want the operator of one of those services being able
to impersonate the identity of another. Either deliberately,
or because it got compromised by an attacker.

> >I'm not sure we have a good practical solution to this problem.
> 
> The notion of tying an identity in the certificate to a specific
> use is reasonable, I think.  The way we did this in our SIP
> work was to have a SIP-specific extended key usage (EKU) -- see
> http://tools.ietf.org/html/draft-ietf-sip-eku-05.
> 
> However, EKUs have their own set of emotional baggage,
> including the fact that existing certificates will not have
> the specific extension specified.

Yeah, that's an interesting way to address this. But I think
it has an even bigger deployment problem than RFC 4985. You'd
need to define a new EKU for each new service. With RFC 4985,
one general purpose spec could potentially be used for all
services that use DNS SRV records.

--Shumon.

v2.23.0 | Report a Bug | By Email