Re: Additional reviews of draft-daboo-srv-email-02.txt needed
Shumon Huque <shuque@isc.upenn.edu> Mon, 24 August 2009 19:02 UTC
Return-Path: <shuque@isc.upenn.edu>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D0BC3A6E86 for <apps-discuss@core3.amsl.com>; Mon, 24 Aug 2009 12:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o+RraW86XY54 for <apps-discuss@core3.amsl.com>; Mon, 24 Aug 2009 12:02:50 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 48B3E3A6E88 for <apps-discuss@ietf.org>; Mon, 24 Aug 2009 12:02:50 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 6AA9F28D3; Mon, 24 Aug 2009 15:02:56 -0400 (EDT)
Date: Mon, 24 Aug 2009 15:02:56 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Subject: Re: Additional reviews of draft-daboo-srv-email-02.txt needed
Message-ID: <20090824190256.GA19213@isc.upenn.edu>
References: <4A8D28AA.4060906@isode.com> <4A8E30A8.9050307@tana.it> <4A8E99B2.1060002@isode.com> <20090824180434.GA16812@isc.upenn.edu> <4A92DCE3.5080300@alcatel-lucent.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4A92DCE3.5080300@alcatel-lucent.com>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: apps-discuss@ietf.org, Alessandro Vesely <vesely@tana.it>
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2009 19:02:51 -0000
On Mon, Aug 24, 2009 at 01:33:07PM -0500, Vijay K. Gurbani wrote: > Shumon Huque wrote: > >Quite true, although an important question is how the domain part > >is advertised in the certificate. Most likely it will be put in > >the the common name or the subjectaltname's DNSname field. But > >in many cases that poses a security problem, if other services > >unrelated to IMAP (or POP3 and submission) are also hosted at > >the domain part. If we issue an "example.com" certificate to the > >IMAP service, it could use that to impersonate any TLS service at > >that domain unrelated to IMAP (eg. jabber, https, etc). > > That is quite true (though I am not sure whether it is > "impersonation", per se; after all, it is a signed and issued > certificate.) Well, it may have been signed and issued correctly. But since the embedded identity wasn't specified with sufficient granularity, it could be used for purposes other than intended. And this leads to the impersonation threat. In a large enough organization, different services at the same domain name may be operated by different folks, on different systems, with different security requirements. You normally don't want the operator of one of those services being able to impersonate the identity of another. Either deliberately, or because it got compromised by an attacker. > >I'm not sure we have a good practical solution to this problem. > > The notion of tying an identity in the certificate to a specific > use is reasonable, I think. The way we did this in our SIP > work was to have a SIP-specific extended key usage (EKU) -- see > http://tools.ietf.org/html/draft-ietf-sip-eku-05. > > However, EKUs have their own set of emotional baggage, > including the fact that existing certificates will not have > the specific extension specified. Yeah, that's an interesting way to address this. But I think it has an even bigger deployment problem than RFC 4985. You'd need to define a new EKU for each new service. With RFC 4985, one general purpose spec could potentially be used for all services that use DNS SRV records. --Shumon.
- Additional reviews of draft-daboo-srv-email-02.tx… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Cyrus Daboo
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Cyrus Daboo
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Simon Josefsson
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Vijay K. Gurbani
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Cyrus Daboo
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Peter Saint-Andre
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Alexey Melnikov
- Re: Additional reviews of draft-daboo-srv-email-0… Tony Finch
- Re: Additional reviews of draft-daboo-srv-email-0… Shumon Huque
- Re: Additional reviews of draft-daboo-srv-email-0… Alessandro Vesely