IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Martin Rex <mrex@sap.com> Wed, 13 October 2010 22:19 UTC

Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 446AF3A66B4 for <certid@core3.amsl.com>; Wed, 13 Oct 2010 15:19:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.892
X-Spam-Level:
X-Spam-Status: No, score=-9.892 tagged_above=-999 required=5 tests=[AWL=0.357, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p1tcgo-cvFuW for <certid@core3.amsl.com>; Wed, 13 Oct 2010 15:19:18 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 0E79E3A67E2 for <certid@ietf.org>; Wed, 13 Oct 2010 15:19:17 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o9DMKTKP017941 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 14 Oct 2010 00:20:34 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201010132220.o9DMKTjG024980@fs4113.wdf.sap.corp>
To: stpeter@stpeter.im (Peter Saint-Andre)
Date: Thu, 14 Oct 2010 00:20:29 +0200 (MEST)
In-Reply-To: <4CB62A13.30401@stpeter.im> from "Peter Saint-Andre" at Oct 13, 10 03:52:19 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 22:19:19 -0000

Peter Saint-Andre wrote:
> 
> Jeff and I have been thinking about this independently today, and it
> seems we're going in the same direction. Following Martin Rex's argument
> to its logical conclusion has led me to believe that wildcards deserve
> to be NOT RECOMMENDED in a best current practice document.

I'm certainly in favor of NOT RECOMMENDING the use of any wildcards
to server admins (and to a lesser extent app protocol designers)
in the security considerations section of the server-id-check
document.

I'm less inclined about recommending to implementations to
not implement it at all (which is about utility functions of the
TLS implementation for use by the application).

Aside from pathological cases
(like a DV-validated cert issued with DNS-ID="*", "*.*", "*.*.*" and
 extremely "liberal" TLS-client-implementations of rfc-2818),
the risk about wildcard certs is more about the administrative
procedures of the server & domain admins using such certs.
Keep in mind that the security of all the servers in the domain
vitally depend on responsible admins and reasonably safe procedures,
and the matching rules described in server-id-check are hardly going
to affect that.

The other extreme, of server certificates that list several hundred
DNS-IDs is not necessarily safer than a single wildcard.

Rather than leaving the issue of wildcards as underspecified as
rfc-2818, I would appreciate a few words of what is commonly
available in current web browsers and could be implemented with
minor effort and low complexity.


-Martin

v2.8.7 | Report a Bug | By Email