Re: [certid] Review of draft-saintandre-tls-server-id-check

[Stefan Santesson <stefan@aaa-sec.com>]

Peter,

After the past discussions, the remaining things on my review list are:

General:
consider substituting ³PKIX-based systems² and ³PKIX Certificates² with ³PKI
systems based on RFC 5280² and ³RFC 5280 Certificates², alternatively
include [PKIX] brackets to clarify that it references RFC 5280.
 
 
General: 
I would consider stating that server certificates according to this profile
either MUST or SHOULD have the serverAuth EKU set since it is allways
related to the use of TSL and server authentication. At least it MUST be set
when allowing checks of the CN-ID (see 2.3 below).
 
 
1.3.2 and section 3
SRVName is described as an extension in 1.3.2, but is in fact a Subject Alt
Name (otherName form) RFC 4985.
This error is repeated in section 3, bullet 4, on page 16.
 
1.1. 
s/an application services/an application service
 
1.2
I find the following text is hard to understand:
³(this document addresses only the DNS domain name of the application
service itself, not the entire trust chain)²
I¹m not sure what the DNS domain name has to do with checking the entire
trust chain. Further, this document discuss more name forms than the DNS
domain name.
Perhaps this sentence was meant to say:
"(this document only addresses name forms in the leaf server certificate,
not any name forms in the chain of certificate used to validate the server
certificate)"
 
 
 
2.3
It would be good if we could restrict the use of CN-ID for storing a domain
name to the case when the serverAuth EKU is set. Requiring the EKU reduce
the probability that the CN-ID appears to be a domain name by accident or is
a domain name in the wrong context.
 
In many deployments, this also affects the name constraints processing to
perform domain name constraints also on the CN attribute.
 
There should at least be a rule stating that any client that accepts the CN
attribute to carry the domain name MUST also perform name constraints on
this attribute using the domain name logic if name constraints is applied to
the path. Failing this requirement poses a security threat if the claimed
domain name in CN-ID violated the name constraints set for domain names.
 
 
 
4.4.3 checking wildcard labels
The restriction to match against only one subdomain seems to not be
compatible with FRC 4592. RFC 4592 states:
 
   A wildcard domain name can have subdomains.  There is no need to
   inspect the subdomains to see if there is another asterisk label in
   any subdomain.
 
Further, I'm pretty sure that the rule of this draft is incompatible with
many deployments of wildcard matching. I recall in Microsoft we allowed any
number of subdomains when I was involved with the CAPI team.
 
 
4.6.2 
States:
 
   In this case, the
   client MUSTverify that the presented certificate matches the cached
   certificate and (if it is an interactive client) MUST notify the
   user if the certificate has changed since the last time a secure
   connection was successfully negotiated
 
How does the client know if the certificate has changed or whether it just
obtained an unauthorized certificate?
 
I guess in some cases it would work but I feel sure there are exception
cases where the client just has a configured certificate but no knowledge of
what it obtained the last time it talked to the server.

 
/Stefan