IETF Logo Mail Archive

Re: [certid] What security does SRV-ID add when DNS-ID will always match?

=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 17 January 2011 19:55 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F57C28C174 for <certid@core3.amsl.com>; Mon, 17 Jan 2011 11:55:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.392
X-Spam-Level:
X-Spam-Status: No, score=-102.392 tagged_above=-999 required=5 tests=[AWL=0.207, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id db4OC4ZpJ-l9 for <certid@core3.amsl.com>; Mon, 17 Jan 2011 11:55:19 -0800 (PST)
Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by core3.amsl.com (Postfix) with SMTP id CF0C23A6DB6 for <certid@ietf.org>; Mon, 17 Jan 2011 11:55:19 -0800 (PST)
Received: (qmail 23716 invoked by uid 0); 17 Jan 2011 19:57:54 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com.bluehost.com with SMTP; 17 Jan 2011 19:57:54 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=qRXjTu8OrviJ3Q0JsQ/Cc0rw+CLOR3B7gkOenpLq6BoKFgTiwF/K/wW0uOQ6qOcSRfdb2UsceD9Ss8kw9YsD0L+KEQtpLR406JVM+HHreT3EM+pXm/N+vbdJSJpXjJys;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PevD8-0000Ok-Db for certid@ietf.org; Mon, 17 Jan 2011 12:57:54 -0700
Message-ID: <4D349F3E.3060601@KingsMountain.com>
Date: Mon, 17 Jan 2011 11:57:50 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] What security does SRV-ID add when DNS-ID will always match?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2011 19:55:21 -0000

 > The use of SRV-IDs is supposed to ensure that the client connects to the
 > service type it wanted from among the services available at the DNS name
 > it wanted.  However, given that...
 >
 > - The client's list of reference identifiers MUST include a DNS-ID
 > (section 6.2.10)

you mean S6.2.1, yes?

 > - The examples of server certificates that include a SRV-ID (section
 > 4.2) also include a DNS-ID
 > - The server ID check succeeds if any reference identifier matches any
 > presented identifier (section 6.3)
 >
 > it would appear that the DNS-IDs will always match, making the service
 > types in the SRV-IDs irrelevant.  Am I right?

thx for the headsup, but I don't think so, see section 6.5...

###

6.5. Matching the Application Type Portion


    If a client supports checking of identifiers of type SRV-ID and
    URI-ID, it MUST also check the service type of the application
    service with which it communicates (in addition to checking the
    domain name as described above).  This is a best practice because
    typically a client is not designed to communicate with all kinds of
    services using all possible application protocols, but instead is
    designed to communicate with one kind of service, such as websites,
    email services, VoIP services, or IM services.

    The service type is verified by means of an SRV-ID or a URI-ID.

6.5.1. SRV-ID


    The service name portion of an SRV-ID (e.g., "imaps") MUST be matched
    in a case-insensitive manner, in accordance with [DNS-SRV].  Note
    that the "_" character is prepended to the service identifier in DNS
    SRV records and in SRV-IDs (per [SRVNAME]), and thus does not need to
    be included in any comparison.

6.5.2. URI-ID


    The scheme name portion of a URI-ID (e.g., "sip") MUST be matched in
    a case-insensitive manner, in accordance with [URI].  Note that the
    ":" character is a separator between the scheme name and the rest of
    the URI, and thus does not need to be included in any comparison.

###


I note that we should fix the S6.5 title to be..

   "Matching the Application Service Type Portion"

..or simply..

   "Matching the Application Service Type"


thanks,

=JeffH

v2.23.0 | Report a Bug | By Email