Re: [certid] user overrides (was: Re: Fwd: [apps-discuss] draft-saintandre-tls-server-id-check and user overrides)
"Thomson, Martin" <Martin.Thomson@andrew.com> Thu, 10 June 2010 05:43 UTC
Return-Path: <Martin.Thomson@andrew.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id A815E3A69EB for <certid@core3.amsl.com>;
Wed, 9 Jun 2010 22:43:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.739
X-Spam-Level:
X-Spam-Status: No, score=-4.739 tagged_above=-999 required=5 tests=[AWL=-2.140,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2tQAnGLxNp5 for
<certid@core3.amsl.com>; Wed, 9 Jun 2010 22:43:19 -0700 (PDT)
Received: from csmailgw1.commscope.com (csmailgw1.commscope.com
[198.135.207.244]) by core3.amsl.com (Postfix) with ESMTP id F25623A6982 for
<certid@ietf.org>; Wed, 9 Jun 2010 22:43:18 -0700 (PDT)
Received: from [10.86.20.103] ([10.86.20.103]:6101 "EHLO
ACDCE7HC2.commscope.com") by csmailgw1.commscope.com with ESMTP id
S24314891Ab0FJFnU (ORCPT <rfc822; certid@ietf.org>);
Thu, 10 Jun 2010 00:43:20 -0500
Received: from SISPE7HC1.commscope.com (10.97.4.12) by ACDCE7HC2.commscope.com
(10.86.20.103) with Microsoft SMTP Server (TLS) id 8.1.436.0;
Thu, 10 Jun 2010 00:43:19 -0500
Received: from SISPE7MB1.commscope.com ([fe80::9d82:a492:85e3:a293]) by
SISPE7HC1.commscope.com ([fe80::8a9:4724:f6bb:3cdf%10]) with mapi;
Thu, 10 Jun 2010 13:43:17 +0800
From: "Thomson, Martin" <Martin.Thomson@andrew.com>
To: Peter Saint-Andre <stpeter@stpeter.im>,
IETF cert-based identity <certid@ietf.org>
Date: Thu, 10 Jun 2010 13:45:08 +0800
Thread-Topic: user overrides (was: Re: [certid] Fwd: [apps-discuss]
draft-saintandre-tls-server-id-check and user overrides)
Thread-Index: AcsIRu7MQoJVU4LuR8qxtl79s7FVegAC3x2A
Message-ID: <8B0A9FCBB9832F43971E38010638454F03E7F1FAC4@SISPE7MB1.commscope.com>
References: <4C104CC3.8070602@stpeter.im> <4C10516B.1000400@stpeter.im>
In-Reply-To: <4C10516B.1000400@stpeter.im>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-BCN: Meridius 1000 Version 3.4 on csmailgw1.commscope.com
X-BCN-Sender: Martin.Thomson@andrew.com
Subject: Re: [certid] user overrides (was: Re: Fwd: [apps-discuss]
draft-saintandre-tls-server-id-check and user overrides)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2010 05:43:20 -0000
Yes, it would be counter-productive to increase scope arbitrarily. Let's just drop anything about the "why". The rathole that opens is scary deep. I'm not looking for anything on validation either. What concerns me is that a) the implications of the override are not articulated; and b) this "pinning" or override function applies to certificates regardless of their RFC5280-determined validity; and c) your readership isn't being told any of this, most are working it out for themselves. Perhaps I can offer text for 3.6.3.1: A cached or "pinned" certificate need not be valid according to [PKIX]. A server that presents a pinned certificate is found to match based solely on its ability to prove that it possesses the private key that corresponds to the public key in the certificate. --Martin > -----Original Message----- > From: Peter Saint-Andre [mailto:stpeter@stpeter.im] > Sent: Thursday, 10 June 2010 12:44 PM > To: IETF cert-based identity > Cc: Thomson, Martin > Subject: user overrides (was: Re: [certid] Fwd: [apps-discuss] draft- > saintandre-tls-server-id-check and user overrides) > > On 6/9/10 8:24 PM, Peter Saint-Andre wrote: > > Forwarding from the apps-discuss@ietf.org list to maintain > continuity. > > > > -------- Original Message -------- > > Subject: [apps-discuss] draft-saintandre-tls-server-id-check and user > > overrides > > Date: Wed, 9 Jun 2010 09:46:41 +0800 > > From: Thomson, Martin <Martin.Thomson@andrew.com> > > To: apps-discuss@ietf.org <apps-discuss@ietf.org>rg>, > psaintan@cisco.com > > <psaintan@cisco.com>om>, Jeff.Hodges@PayPal.com <Jeff.Hodges@PayPal.com> > > > > In draft-saintandre-tls-server-id-check-05, Sections 3.6.2 and > 3.6.3.1 > > talk about user choice in interactively trusting a certificate. > > > > What is missing is discussion on "why" users might need to (or want > to) > > override the default behaviour. Usage practices aren't obvious, so > this > > seems like a good place to expand on this. > > I'm not sure if this is the spec in which to describe why a user might > need or want to override the default server identity checking behavior. > One example of a spec that provides some guidance in this area is > http://www.w3.org/TR/2010/WD-wsc-ui-20100309/ but that doesn't cover > non-browser or non-web applications, and in any case this is a matter > of > providing guidance to client developers regarding user interaction, > which is not exactly a matter of expertise in the IETF. However, I'm > open to accepting suggested text on this point. > > > It would be good if this described what are acceptable types of > > certificate validation failure and what aren't. Common reasons that > are > > potentially valid are: > > - not trusted (no CA) > > - expired certificate > > - wrong name > > - revoked certificate > > So far, with regard to client behavior this spec has been limited to > the > narrow topic of checking server identity, not the broader topic of > certificate validation. > > > Obviously, you aren't going to accept a certificate if the entity > > providing it could not prove that they possess the corresponding > private > > key. > > > > It might help to explain the significance of such an action - the > user > > is trusting the entity that is able to proof possession of the > private > > key that corresponds to the private key in the certificate. All > other > > data in the certificate becomes irrelevant. > > > > --Martin > > > > p.s. I don't know what happens in practice if a certificate is pinned > > before expiry and then subsequently expires. Same goes for > revocation. > > I'd be interested in learning what people do. Logic suggests that > if a > > certificate is accepted despite violating one criterion, it does not > > imply continued acceptance when another criteria are subsequently > violated. > > Again, those are interesting and important issues, but somewhat outside > the very limited scope that we have set for ourselves. > > As with other requests for broadening the scope of this spec, I'd like > to point out that we might very well write more specs on related topics > in the future, and perhaps eventually put them all together into a more > general BCP. However, given how contentious these issues can be, I > think > we'd prefer to do this work in a piecemeal fashion to start with > instead > of defining a grand unified theory from the beginning (because it's > unlikely that we would ever finish that task). > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > >
- [certid] Fwd: [apps-discuss] draft-saintandre-tls… Peter Saint-Andre
- [certid] user overrides (was: Re: Fwd: [apps-disc… Peter Saint-Andre
- Re: [certid] user overrides (was: Re: Fwd: [apps-… Thomson, Martin
- Re: [certid] user overrides Peter Saint-Andre
- Re: [certid] user overrides Thomson, Martin
- Re: [certid] user overrides Michael Ströder