Re: [certid] What security does SRV-ID add when DNS-ID will always match?
Matt McCutchen <matt@mattmccutchen.net> Mon, 17 January 2011 20:52 UTC
Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 93C2528C162 for <certid@core3.amsl.com>; Mon, 17 Jan 2011 12:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.424
X-Spam-Level:
X-Spam-Status: No, score=-2.424 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHKSUlUGm4eE for <certid@core3.amsl.com>; Mon, 17 Jan 2011 12:52:46 -0800 (PST)
Received: from homiemail-a4.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by core3.amsl.com (Postfix) with ESMTP id 5533328C157 for <certid@ietf.org>; Mon, 17 Jan 2011 12:52:46 -0800 (PST)
Received: from homiemail-a4.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTP id 6A65B51C06C; Mon, 17 Jan 2011 12:55:21 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=eOWAhS2v8DX2mZLyfnceodzLUpQzlyIQkkJvzTMMVG6 bUMflHrkglVViY95xJITygosBbjSe6OI+W9J3klIQ8Worn8vftOLFFSV5fYkp5YT tw+hneOh4K7bNmOCB6J0LTFxqUbTBLI9jS0fbUGe+9F/Hscu+CG0br5/YGoBWuvg =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=e9VoEZ4YHkqfpxbUJnudQOHtn1I=; b=glaz63Yaqk hGcZxfdQWAMeHE69CGpoM0buXtbwl9EyXoBQB6fdQwLdstk2f3UWja8ismexYDnP Ukt2BZbq2ziAH3qmZe+5gFn6pEx1fm99PDQea6k3uDz4BmQABB0QD9hl/6M6dGQC TUL2v+LqhdOxp7zQlcdEyDzpp41QXXs7A=
Received: from [192.168.1.40] (pool-74-96-47-53.washdc.east.verizon.net [74.96.47.53]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTPA id D7D6C51C063; Mon, 17 Jan 2011 12:55:20 -0800 (PST)
From: Matt McCutchen <matt@mattmccutchen.net>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
In-Reply-To: <4D349F3E.3060601@KingsMountain.com>
References: <4D349F3E.3060601@KingsMountain.com>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 17 Jan 2011 15:55:19 -0500
Message-ID: <1295297719.2221.81.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] What security does SRV-ID add when DNS-ID will always match?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2011 20:52:48 -0000
On Mon, 2011-01-17 at 11:57 -0800, =JeffH wrote: > > The use of SRV-IDs is supposed to ensure that the client connects to the > > service type it wanted from among the services available at the DNS name > > it wanted. However, given that... > > > > - The client's list of reference identifiers MUST include a DNS-ID > > (section 6.2.10) > > you mean S6.2.1, yes? Yes (typo) > > - The examples of server certificates that include a SRV-ID (section > > 4.2) also include a DNS-ID > > - The server ID check succeeds if any reference identifier matches any > > presented identifier (section 6.3) > > > > it would appear that the DNS-IDs will always match, making the service > > types in the SRV-IDs irrelevant. Am I right? > > thx for the headsup, but I don't think so, see section 6.5... > > ### > > 6.5. Matching the Application Type Portion > > > If a client supports checking of identifiers of type SRV-ID and > URI-ID, it MUST also check the service type of the application > service with which it communicates (in addition to checking the > domain name as described above). [...] > ### Maybe I am misunderstanding how that section applies. Let's consider an example. Reference identifiers: 1. SRV-ID _imaps.example.net 2. DNS-ID example.net Presented identifiers: 3. SRV-ID _xmpp-server.example.net 4. DNS-ID example.net The client checks each reference identifier against each presented identifier (section 6.3). #1 and #3: The service types differ, so no match. #1 and #4: One identifier specifies a service type and the other doesn't. The behavior in this case is not spelled out, but I would assume there is no match. #2 and #3: Ditto. #2 and #4: Neither identifier specifies service type, and the DNS names are the same. Is this a match? If so, we get the problem I originally described. Are you saying that a client that "supports checking of identifiers of type SRV-ID and URI-ID" MUST NOT compare two DNS-IDs, because they do not contain the service type information that the client is required to check? If so, then in the following example: Reference identifiers: 1. SRV-ID _imaps.example.net 2. DNS-ID example.net Presented identifiers: 4. DNS-ID example.net we would get "no match", when it seems a match would be helpful for backward compatibility. -- Matt
- [certid] What security does SRV-ID add when DNS-I… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… =JeffH
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… =JeffH
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Paul Hoffman
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen