Re: [certid] accommodating server-to-server (was: I-D Action:draft-saintandre-tls-server-id-check-10.txt)
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 12 November 2010 02:11 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 420D428C117 for <certid@core3.amsl.com>;
Thu, 11 Nov 2010 18:11:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.094
X-Spam-Level:
X-Spam-Status: No, score=-99.094 tagged_above=-999 required=5 tests=[AWL=2.571,
BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_83=0.6,
USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gTT97fTEo8VD for
<certid@core3.amsl.com>; Thu, 11 Nov 2010 18:11:21 -0800 (PST)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com
[67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id E6F8A28C14B for
<certid@ietf.org>; Thu, 11 Nov 2010 18:11:20 -0800 (PST)
Received: (qmail 24622 invoked by uid 0); 12 Nov 2010 02:11:52 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy3.bluehost.com with SMTP; 12 Nov 2010 02:11:52 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=bcrwbEy3ww1uL2xdbS24q6cW2CndG97H1BDMcDg37CCEQ7oQybuvIV5aw/jcMZe2zV3GyhEX5ml0kuupWDHeKkXsiP+VXp+f9oW7PtLy3b0nAxKP10IjNnevlZNk8caf;
Received: from dhcp-4d0d.meeting.ietf.org ([130.129.77.13]) by
box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69)
(envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PGj7H-0001dk-Lp;
Thu, 11 Nov 2010 19:11:52 -0700
Message-ID: <4CDCA262.6060709@KingsMountain.com>
Date: Thu, 11 Nov 2010 18:11:46 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>,
XMPP Working Group <xmpp@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 130.129.77.13 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] accommodating server-to-server (was: I-D
Action:draft-saintandre-tls-server-id-check-10.txt)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2010 02:11:23 -0000
On Tue, 09 Nov 2010, PeterSA replied: > > On 11/6/10 5:33 AM, =JeffH wrote: >> >> Peter Saint-Andre replied: >>> >>> Philipp Hancke replied: >>> >>>> Peter Saint-Andre wrote: >>>>> >>>>> Note: In some application protocols, the procedure described in >>>>> this section can be performed by an application server acting as a >>>>> TLS client when verifying a server-to-server connection, not >> only by >>>> >>>> s/TLS client/TLS server/ >>> >>> In XMPP at least, if Romeo's personal server (montague.lit) attempts to >>> connect to Juliet's personal server (capulet.lit), he asserts to her >>> that he is montague.lit and she takes that as her reference identifier. >>> Thus her server is acting as a TLS client in relation to the presented >>> identifiers in the certificate that Romeo's personal server provides. >>> This is what's distinctive about the server-to-server case -- an >>> application service is acting as a TLS client. >>> >>> ... >>> >>>> I think it is not clear who is verifying >>> >>> If you try to connect to me, I'm going to verify you -- even if I'm an >>> XMPP server. >>> >>>> (probably because both parties >>>> are for xmpp-s2s). >>> >>> Yes, ideally the verification happens in both directions. >> >> >> To me, what Peter wrote in the proposed "Note:" is confusing because it >> is labeling an entity as a "TLS client" that is not a TLS client in the >> TLS protocol sense -- it is playing the TLS server role, and is only >> behaving as a "TLS client" would in the sense of verifying the entity at >> the other end of the incoming connection. > > You're right. I've scrubbed mention of "TLS client" from that paragraph: > > Note: In some application protocols that support server-to-server > communication (e.g., XMPP), the procedure described in this > section can be performed by an application server acting when > verifying an incoming server-to-server connection, not only by an > application client when verifying the server with which it is > interacting to establish an outgoing client-to-server connection. > In this case, the application server verifies the identity of the > peer server that is attempting to connect and uses as its > reference identifier the DNS domain name asserted by the peer > server (e.g., as triggered by a request to send a message from an > entity associated with the peer server to an entity associated > with the application service). Other than the source of the > reference identifier and the reversal of roles, the verification > process remains unchanged. great, thx, that works for me and seems much clearer. >> In this case we ostensibly have the "peer server" -- legitimately acting >> as a TLS client -- presenting its certificate during the TLS handshake, >> and thus the application service is obliged to perform the same checks >> on the peer server's asserted identity, as an actual TLS client performs >> on asserted app service identity. >> >> yes? > > Yes. good, we're on same page. >> If so, it seems we're linguistically standing on our heads here trying >> to shoehorn the notion of "verification of client identity (by the app >> service)" into section 4 "Verification of Service Identity". > > By "service" here we're talking about an application service, not a TLS > server. In the server-to-server scenario, we're talking about one > application service verifying the identity of a peer service. Ok. >> I propose that we need to perhaps have a separate section for the former >> and figure out how to refactor the more detailed section 4 subsections >> such that we don't have to needlessly repeat text. > > I don't particularly want to do a lot of refactoring on this I-D to > incorporate the server-to-server case. Perhaps this note belongs in > documents that re-use the server-id-check methodology -- e.g., we could > add it to draft-ietf-xmpp-3920bis for the XMPP case. Ok, good idea. >> It also seems we ought to do this in a general fashion such that its >> applicable for any TLS server processing an inbound connection where the >> client elects to assert its identity (eg by presenting a cert). > > I think that's out of scope for this I-D, and we already say so in > Section 1.4.2. ah ha, yes, you're correct, nevermind. thanks, =JeffH
- Re: [certid] accommodating server-to-server (was:… =JeffH
- Re: [certid] accommodating server-to-server (was:… Peter Saint-Andre
- Re: [certid] [xmpp] accommodating server-to-serve… Philipp Hancke
- Re: [certid] [xmpp] accommodating server-to-server Peter Saint-Andre
- Re: [certid] accommodating server-to-server (was:… =JeffH