IETF Logo Mail Archive

[certid] section 4.6 rewrite (aka: Bad certificate handling)

=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 29 September 2010 21:27 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 914BD3A6E17 for <certid@core3.amsl.com>; Wed, 29 Sep 2010 14:27:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.137
X-Spam-Level:
X-Spam-Status: No, score=-102.137 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ETLXwHPyElml for <certid@core3.amsl.com>; Wed, 29 Sep 2010 14:27:02 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id 320D33A6E12 for <certid@ietf.org>; Wed, 29 Sep 2010 14:27:02 -0700 (PDT)
Received: (qmail 31752 invoked by uid 0); 29 Sep 2010 21:27:46 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 29 Sep 2010 21:27:46 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=H9+VZ51Eb4s63IRsg2bpQTHCG35po96L5DnJpApnVKVl0qk3TFO8lCPZtkvW6gzy41sceN+Ne5nfjvSoM8e6QZ4aMssxfXbjiVBsKnih+3bKFGZSh/ct/IStTirtbz7y;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.179]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1P14Bl-00056p-SI for certid@ietf.org; Wed, 29 Sep 2010 15:27:45 -0600
Message-ID: <4CA3AF50.6050101@KingsMountain.com>
Date: Wed, 29 Sep 2010 14:27:44 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [certid] section 4.6 rewrite (aka: Bad certificate handling)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2010 21:27:03 -0000

I and PeterSA took a hard look at section "4.6 Outcome" (aka: Bad certificate 
handling) and indeed its language needed some semi-major rewriting, which we've 
done. The entire new section "4.6 Outcome" is below.

comments?

thanks,

=JeffH

###

4.6.  Outcome

    The outcome of the checking procedure is one of the following cases.

4.6.1.  Case #1: Match Found

    If the client has found a presented identifier that matches a
    reference identifier, matching has succeeded.  In this case, the
    client MUST use the matched reference identifier as the validated
    identity of the server.

4.6.2.  Case #2: No Match Found, Cached Certificate

    If the client does not find a presented identifier matching any of
    the reference identifiers, and (a) a human user has previously
    accepted and cached a certificate for this application service during
    a previous interaction with the service or (b) a certificate has been
    cached via configuration settings, then the client MUST verify that
    the presented certificate matches the cached certificate.  If the
    presented certificate does not match the cached certificate then the
    client MUST proceed as described under Section 4.6.4.

4.6.3.  Case #3: No Match Found, No Cached Certificate

    If the client does not find a presented identifier matching any of
    the reference identifiers, and the client has not previously cached a
    certificate for this application service based on user acceptance or
    configuration, then the client MUST proceed as described under
    Section 4.6.4.

4.6.4.  Fallback

    If the client is an interactive client that is directly controlled by
    a human user, then it SHOULD inform the user of the identity mismatch
    and automatically terminate the connection with a bad certificate
    error; this behavior is preferable because it prevents users from
    inadvertently bypassing security protections in hostile situations.

       Security Note: Some interactive clients give advanced users the
       option of proceeding with acceptance and caching of the presented
       certificate despite an identity mismatch.  Although this behavior
       can be appropriate in certain specialized circumstances, in
       general it ought to be exposed only to advanced users.  Even then
       it needs to be handled with extreme caution, for example by first
       encouraging even an advanced user to terminate the connection and,
       if the advanced user chooses to proceed anyway, by forcing the
       user to view the entire certification path and only then allowing
       the user to accept the certificate (on a temporary or permanent
       basis, at the user's option).

    Otherwise, if the client is an automated application not directly
    controlled by a human user, then it SHOULD terminate the connection
    with a bad certificate error and log the error appropriately.  An
    automated application MAY provide a configuration setting that
    disables this behavior, but MUST enable the behavior by default.

###

v2.8.7 | Report a Bug | By Email