Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 08 December 2010 19:50 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AE933A6988 for <certid@core3.amsl.com>; Wed, 8 Dec 2010 11:50:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.857
X-Spam-Level:
X-Spam-Status: No, score=-101.857 tagged_above=-999 required=5 tests=[AWL=0.408, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oe4AQDI1vWIV for <certid@core3.amsl.com>; Wed, 8 Dec 2010 11:50:43 -0800 (PST)
Received: from oproxy3-pub.bluehost.com (oproxy3-pub.bluehost.com [69.89.21.8]) by core3.amsl.com (Postfix) with SMTP id 34E6B3A689A for <certid@ietf.org>; Wed, 8 Dec 2010 11:50:43 -0800 (PST)
Received: (qmail 19133 invoked by uid 0); 8 Dec 2010 19:50:59 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy3.bluehost.com with SMTP; 8 Dec 2010 19:50:59 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=r4ZbZsN5LCiYRJNC/GbhHX+vJZvL71Q48XMSmUzetdgUMZI52I3keEroTjoDRXnsPVZmNtJVfFZTp36/FnQi8Ekh3DRL1kcaSD8D49Sbq4ipaCiPgd3K5bmMfR2tpaLa;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PQQ2U-00014t-U0; Wed, 08 Dec 2010 12:50:59 -0700
Message-ID: <4CFFE19F.1060603@KingsMountain.com>
Date: Wed, 08 Dec 2010 11:50:55 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: Ben Campbell <ben@nostrum.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: draft-saintandre-tls-server-id-check.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>, certid@ietf.org
Subject: Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 19:50:44 -0000
<snip/> > stpete sez.. >> In Section 4.2.1 we say: >> >> The inputs used by the client to construct its list of reference >> identifiers might be a URI that a user has typed into an interface >> (e.g., an HTTPS URL for a web site), configured account information >> (e.g., the domain name of a particular host or URI used for >> retrieving information or connecting to a network, which might be >> different from the server portion of the user's account name), a >> hyperlink in a web page that triggers a browser to retrieve a media >> object or script, or some other combination of information that can >> yield a source domain and a service type. >> >> The client might need to extract the source domain and service type >> from the input(s) it has received. The extracted data MUST include >> only information that can be securely parsed out of the inputs (e.g., >> extracting the fully-qualified DNS domain name from the "authority" >> component of a URI or extracting the service type from the scheme of ^^^^^^^^^^ I suggest we change this to "deriving". >> a URI) or information for which the extraction is performed in a >> manner that is not subject to subversion by network attackers (e.g., >> pulling the data from a delegated domain that is explicitly >> established via client or system configuration, resolving the data >> via [DNSSEC], or obtaining the data from a third-party domain mapping >> service in which a human user has explicitly placed trust and with >> which the client communicates over a connection that provides both >> mutual authentication and integrity checking). These considerations >> apply only to extraction of the source domain from the inputs; >> naturally, if the inputs themselves are invalid or corrupt (e.g., a >> user has clicked a link provided by a malicious entity in a phishing >> attack), then the client might end up communicating with an >> unexpected application service. >> >> Do you feel we need to say more about how an application client >> determines the source domain? Is there something special about SIP AORs >> that this document does not cover (but should be covering)? BenC replies.. > <snip/> > I am suggesting a soup to nuts example of how a real world input such as > that gets converted to a resulting URI reference identity. So after the second para quoted above (from [S4.2.1]) how 'bout we add this.. For example, given an input URI of "sip:alice:pswd@example.net;transport=tcp?subject=project%20x&priority=urgent", the client derives the service type "sip" from the scheme, and the domain name "example.net" from the authority component. Also, given an input URI of "im:alice@example.net", the derived service type is "sip" (since the "im" scheme is defined as an abstract scheme in the SIP context by [SIP-IM] (RFC 3428)), and the domain name is again "example.net". ? =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- [certid] Gen-ART LC Review of draft-saintandre-tl… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Jeffrey A. Williams
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Paul Hoffman
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH