IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Peter Saint-Andre <stpeter@stpeter.im> Tue, 12 October 2010 19:55 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 771E53A6A62 for <certid@core3.amsl.com>; Tue, 12 Oct 2010 12:55:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.553
X-Spam-Level:
X-Spam-Status: No, score=-102.553 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9aZZQZ2Pxpi5 for <certid@core3.amsl.com>; Tue, 12 Oct 2010 12:55:31 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 4399C3A6A5B for <certid@ietf.org>; Tue, 12 Oct 2010 12:55:31 -0700 (PDT)
Received: from dhcp-64-101-72-188.cisco.com (dhcp-64-101-72-188.cisco.com [64.101.72.188]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 2FD5040337 for <certid@ietf.org>; Tue, 12 Oct 2010 14:03:29 -0600 (MDT)
Message-ID: <4CB4BD7C.4000600@stpeter.im>
Date: Tue, 12 Oct 2010 13:56:44 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: certid@ietf.org
References: <201010080200.o98208QR022569@fs4113.wdf.sap.corp> <4CB35AD1.1060808@stpeter.im> <20101012100045.GA30760@redhat.com>
In-Reply-To: <20101012100045.GA30760@redhat.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2010 19:55:33 -0000

On 10/12/10 4:00 AM, Joe Orton wrote:
> On Mon, Oct 11, 2010 at 12:43:29PM -0600, Peter Saint-Andre wrote:
>> Speaking of which, someone contacted Jeff and me off-list about some
>> research results showing that of a very large number of certificates
>> presented by TLS-protected websites, less than 0.01% contain wildcards
>> in component fragments. Given that minuscule level of deployment, I
>> don't see good reasons to spend more cycles on the topic.
> 
> The relative number of certs is less relevant than how widely those 
> certs are used, surely.  I checked the "top 1m sites" database from:
> 
> http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/
> 
> - 382860 total sites (hostnames) returned a cert
> - 94438 of total sites used a wildcard cert (24%)
> - 5% of total sites use the wildcard cert with CN=*.blogger.com
>    ... other blogging/mass-hosting sites similarly high usage
> 
> Only a handful (5) use the "f*.example.com" form; all those were certs 
> issued by the GoDaddy and starfieldtech.com CAs.

You claim that the number of certs is less relevant than how widely
those certs are used. So, how widely used are the 5 (!) out of 382860
certificates that contain wildcard component fragments? The fact that
those certificates were issued by GoDaddy and Starfield Technologies
means nothing.

> I support Martin's arguments that the "f*.example.com" form specified in 
> RFC 2818 should be supported.

What do you mean by "should be supported"? I see several claims that one
could make:

1. Existing software whose matching algorithms support wildcard
component fragments should stay as-is.

1a. Any new software written to perform identity matching should also
contain matching algorithms that support wildcard component fragment.

2. Existing application protocols (see Appendix A of this I-D) that
allow wildcard component fragments should not be changed.

2a. Any new application protocols developed by the IETF (or other SDOs)
should also allow wildcard component fragments.

3. Wildcard component fragments are a best current practice for both
certificate issuance and certificate validation, and therefore any BCP
produced by the IETF at this time should recommend that all application
protocols should support wildcard component fragments (thus putting at
least RFC 5922 out of compliance, since that spec doesn't even allow
complete wildcard components).

I support #1 (with the proviso that it's an implementation decision for
the relevant software developers whether they want to simplify their
matching algorithms, based on a cost-benefit analysis of code complexity
vs. a degraded user experience for less than 0.01% of issued
certificates). I think #1a depends on which application protocol the
software is designed to use (e.g., HTTP vs. SIP) -- conform to the spec
you're implementing. I think #2 is just fine (with the proviso that such
application protocols might decide to update their specs in the future
based on experience and discussion within the relevant technology
community). I disagree with #2a because I think that wildcard component
fragments are not a *best* current practice, and I disagree with #3 for
the same reason.

What are the positions of those who are arguing for supporting wildcard
component fragments, and why?

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email