IETF Logo Mail Archive

Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard

Stefan Winter <stefan.winter@restena.lu> Wed, 04 August 2010 05:46 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 464EA3A6BD1 for <certid@core3.amsl.com>; Tue, 3 Aug 2010 22:46:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3UgKykUA4Um for <certid@core3.amsl.com>; Tue, 3 Aug 2010 22:46:12 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2E0233A6817 for <certid@ietf.org>; Tue, 3 Aug 2010 22:46:12 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id BD64110586; Wed, 4 Aug 2010 07:46:39 +0200 (CEST)
Received: from [IPv6:2001:a18:1:8::155] (unknown [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id A436D10584; Wed, 4 Aug 2010 07:46:39 +0200 (CEST)
Message-ID: <4C58FEBF.3080807@restena.lu>
Date: Wed, 04 Aug 2010 07:46:39 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.1.11) Gecko/20100714 SUSE/3.0.6 Lightning/1.0b1 Thunderbird/3.0.6
MIME-Version: 1.0
To: Shumon Huque <shuque@isc.upenn.edu>
References: <20100715230822.5B1583A6B94@core3.amsl.com> <4C49B477.80700@stpeter.im> <20100730034415.GA28022@isc.upenn.edu> <4C5267FF.2090701@edelweb.fr> <20100730162031.GA15319@isc.upenn.edu> <4C569260.7070602@restena.lu> <20100804025753.GA16078@isc.upenn.edu>
In-Reply-To: <20100804025753.GA16078@isc.upenn.edu>
X-Enigmail-Version: 1.0.1
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1FA2C475575787C38D9C9E5C"
X-Virus-Scanned: ClamAV
Cc: certid@ietf.org
Subject: Re: [certid] Last Call: draft-saintandre-tls-server-id-check (Representation and Verification of Domain-Based Application Service Identity in Certificates Used with Transport Layer Security) to Proposed Standard
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 05:46:14 -0000

Hi,

> Besides DNSSEC, or some other secure mapping service, I can't think 
> of an obvious one. You'd need to figure out how to encode the service 
> identity in the DNS query name, which is precisely the thing the 
> S-NAPTR lookup is trying to find.
>   

Thanks for giving this some thought!

>> And do you consider disususing this issue in your draft?
>>
>>     
> Are you proposing to just discuss this issue, or that we should
> try to find a solution to the problem?
>   

I wouldn't mind if you try to solve it, of course :-) But since there is
apparently no trivial "fix" to server id validation, I'd be just as
happy with a simple paragraph stating that validation of
(S-)NAPTR-derived identities doesn't work in a trusted manner without
DNSSEC.

(But that's just me, since I don't mind prescribing DNSSEC in my draft;
but my working group chair already expressed that he'd prefer something
else)

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

v2.8.7 | Report a Bug | By Email