IETF Logo Mail Archive

Re: [certid] What security does SRV-ID add when DNS-ID will always match?

Matt McCutchen <matt@mattmccutchen.net> Mon, 17 January 2011 20:52 UTC

Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 93C2528C162 for <certid@core3.amsl.com>; Mon, 17 Jan 2011 12:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.424
X-Spam-Level:
X-Spam-Status: No, score=-2.424 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHKSUlUGm4eE for <certid@core3.amsl.com>; Mon, 17 Jan 2011 12:52:46 -0800 (PST)
Received: from homiemail-a4.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by core3.amsl.com (Postfix) with ESMTP id 5533328C157 for <certid@ietf.org>; Mon, 17 Jan 2011 12:52:46 -0800 (PST)
Received: from homiemail-a4.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTP id 6A65B51C06C; Mon, 17 Jan 2011 12:55:21 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=eOWAhS2v8DX2mZLyfnceodzLUpQzlyIQkkJvzTMMVG6 bUMflHrkglVViY95xJITygosBbjSe6OI+W9J3klIQ8Worn8vftOLFFSV5fYkp5YT tw+hneOh4K7bNmOCB6J0LTFxqUbTBLI9jS0fbUGe+9F/Hscu+CG0br5/YGoBWuvg =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=e9VoEZ4YHkqfpxbUJnudQOHtn1I=; b=glaz63Yaqk hGcZxfdQWAMeHE69CGpoM0buXtbwl9EyXoBQB6fdQwLdstk2f3UWja8ismexYDnP Ukt2BZbq2ziAH3qmZe+5gFn6pEx1fm99PDQea6k3uDz4BmQABB0QD9hl/6M6dGQC TUL2v+LqhdOxp7zQlcdEyDzpp41QXXs7A=
Received: from [192.168.1.40] (pool-74-96-47-53.washdc.east.verizon.net [74.96.47.53]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTPA id D7D6C51C063; Mon, 17 Jan 2011 12:55:20 -0800 (PST)
From: Matt McCutchen <matt@mattmccutchen.net>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
In-Reply-To: <4D349F3E.3060601@KingsMountain.com>
References: <4D349F3E.3060601@KingsMountain.com>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 17 Jan 2011 15:55:19 -0500
Message-ID: <1295297719.2221.81.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] What security does SRV-ID add when DNS-ID will always match?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2011 20:52:48 -0000

On Mon, 2011-01-17 at 11:57 -0800, =JeffH wrote:
> > The use of SRV-IDs is supposed to ensure that the client connects to the
>  > service type it wanted from among the services available at the DNS name
>  > it wanted.  However, given that...
>  >
>  > - The client's list of reference identifiers MUST include a DNS-ID
>  > (section 6.2.10)
> 
> you mean S6.2.1, yes?

Yes (typo)

>  > - The examples of server certificates that include a SRV-ID (section
>  > 4.2) also include a DNS-ID
>  > - The server ID check succeeds if any reference identifier matches any
>  > presented identifier (section 6.3)
>  >
>  > it would appear that the DNS-IDs will always match, making the service
>  > types in the SRV-IDs irrelevant.  Am I right?
> 
> thx for the headsup, but I don't think so, see section 6.5...
> 
> ###
> 
> 6.5. Matching the Application Type Portion
> 
> 
>     If a client supports checking of identifiers of type SRV-ID and
>     URI-ID, it MUST also check the service type of the application
>     service with which it communicates (in addition to checking the
>     domain name as described above).
[...]
> ###

Maybe I am misunderstanding how that section applies.  Let's consider an
example.

Reference identifiers:
1. SRV-ID _imaps.example.net
2. DNS-ID example.net

Presented identifiers:
3. SRV-ID _xmpp-server.example.net
4. DNS-ID example.net

The client checks each reference identifier against each presented
identifier (section 6.3).

#1 and #3: The service types differ, so no match.
#1 and #4: One identifier specifies a service type and the other
doesn't.  The behavior in this case is not spelled out, but I would
assume there is no match.
#2 and #3: Ditto.
#2 and #4: Neither identifier specifies service type, and the DNS names
are the same.  Is this a match?  If so, we get the problem I originally
described.

Are you saying that a client that "supports checking of identifiers of
type SRV-ID and URI-ID" MUST NOT compare two DNS-IDs, because they do
not contain the service type information that the client is required to
check?  If so, then in the following example:

Reference identifiers:
1. SRV-ID _imaps.example.net
2. DNS-ID example.net

Presented identifiers:
4. DNS-ID example.net

we would get "no match", when it seems a match would be helpful for
backward compatibility.

-- 
Matt

v2.23.0 | Report a Bug | By Email