IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Peter Saint-Andre <stpeter@stpeter.im> Mon, 11 October 2010 18:42 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE24B3A6B57 for <certid@core3.amsl.com>; Mon, 11 Oct 2010 11:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.724
X-Spam-Level:
X-Spam-Status: No, score=-101.724 tagged_above=-999 required=5 tests=[AWL=-0.791, BAYES_00=-2.599, SARE_FWDLOOK=1.666, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRN72STb4JBb for <certid@core3.amsl.com>; Mon, 11 Oct 2010 11:42:20 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 579583A6B52 for <certid@ietf.org>; Mon, 11 Oct 2010 11:42:20 -0700 (PDT)
Received: from dhcp-64-101-72-188.cisco.com (dhcp-64-101-72-188.cisco.com [64.101.72.188]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id DE07B403DF; Mon, 11 Oct 2010 12:50:09 -0600 (MDT)
Message-ID: <4CB35AD1.1060808@stpeter.im>
Date: Mon, 11 Oct 2010 12:43:29 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: mrex@sap.com
References: <201010080200.o98208QR022569@fs4113.wdf.sap.corp>
In-Reply-To: <201010080200.o98208QR022569@fs4113.wdf.sap.corp>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 18:42:22 -0000

On 10/7/10 8:00 PM, Martin Rex wrote:
> Matt McCutchen wrote:
>>
>> I have never seen a certificate with a wildcard that is not a
>> whole label on a public web site.
> 
> Btw. the use of TLS is not limited to the public internet.

I don't think anyone said it is. However, it's difficult for researchers
to do much testing of sites that are closed off from the public
internet, so that's the real-world data that folks tend to mention.

Speaking of which, someone contacted Jeff and me off-list about some
research results showing that of a very large number of certificates
presented by TLS-protected websites, less than 0.01% contain wildcards
in component fragments. Given that minuscule level of deployment, I
don't see good reasons to spend more cycles on the topic.

> I don't think that know which _public_ website uses this is meaningless.
> The matching is implemented on the client anyway, not on the server.

Yes it is, but requiring significantly more complex matching to handle
less than 0.01% of the issued certificates seems like a bad idea, i.e.,
not a *best* current practice.

> A much more interesting question would be, what exact kind of wildcard
> matching do popular TLS clients actually implement?

Why is that a much more interesting question?

>    - Microsoft SChannel on XP/2003, Vista/Win7 
>    - Firefox 3.x
>    - Google Chrome
>    - Apple Safari (non-Windows)
>    - Opera
> 
> We started shipping SSL with our app in 2000/2001.  Back then,
> I noticed that MSIE 5.0x implemented (full-label) wildcard matching
> (i.e. WinNT 4 and Win9x/ME), but SChannel in Windows 2000 and therefore
> MSIE 5.0x on Windows 2000 did _NOT_ implement wildcard matching.
> For internal testing, I've been using server certs with wildcard CN-IDs
> since 2000, but not being aware of the wildcards substring matching
> described in rfc2818 back then, I never tried that myself.
> 
> I did issue server certs for wildcard substring matching when I
> implemented rfc-2818, though -- and I consider it likely that other
> implementors did this as well.

That's nice, but not directly relevant to the current discussion because
the I-D that Jeff and I have worked on does not override, supersede, or
obsolete RFC 2818 or any other prior art about matching rules for
application server identity. Instead, we are attempting to abstract from
that prior art to formulate forward-looking rules that capture the best
aspects of current practice in a form that future application protocols
can reference. If someday folks in the HTTP community wish to update or
obsolete RFC 2818 by referencing this I-D, they will be free to do so --
but that is not the purpose of the work that Jeff and I have done.

Peter

--
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email