Re: [certid] What security does SRV-ID add when DNS-ID will always match?
=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 17 January 2011 19:55 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F57C28C174 for <certid@core3.amsl.com>; Mon, 17 Jan 2011 11:55:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.392
X-Spam-Level:
X-Spam-Status: No, score=-102.392 tagged_above=-999 required=5 tests=[AWL=0.207, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id db4OC4ZpJ-l9 for <certid@core3.amsl.com>; Mon, 17 Jan 2011 11:55:19 -0800 (PST)
Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by core3.amsl.com (Postfix) with SMTP id CF0C23A6DB6 for <certid@ietf.org>; Mon, 17 Jan 2011 11:55:19 -0800 (PST)
Received: (qmail 23716 invoked by uid 0); 17 Jan 2011 19:57:54 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com.bluehost.com with SMTP; 17 Jan 2011 19:57:54 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=qRXjTu8OrviJ3Q0JsQ/Cc0rw+CLOR3B7gkOenpLq6BoKFgTiwF/K/wW0uOQ6qOcSRfdb2UsceD9Ss8kw9YsD0L+KEQtpLR406JVM+HHreT3EM+pXm/N+vbdJSJpXjJys;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PevD8-0000Ok-Db for certid@ietf.org; Mon, 17 Jan 2011 12:57:54 -0700
Message-ID: <4D349F3E.3060601@KingsMountain.com>
Date: Mon, 17 Jan 2011 11:57:50 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] What security does SRV-ID add when DNS-ID will always match?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2011 19:55:21 -0000
> The use of SRV-IDs is supposed to ensure that the client connects to the > service type it wanted from among the services available at the DNS name > it wanted. However, given that... > > - The client's list of reference identifiers MUST include a DNS-ID > (section 6.2.10) you mean S6.2.1, yes? > - The examples of server certificates that include a SRV-ID (section > 4.2) also include a DNS-ID > - The server ID check succeeds if any reference identifier matches any > presented identifier (section 6.3) > > it would appear that the DNS-IDs will always match, making the service > types in the SRV-IDs irrelevant. Am I right? thx for the headsup, but I don't think so, see section 6.5... ### 6.5. Matching the Application Type Portion If a client supports checking of identifiers of type SRV-ID and URI-ID, it MUST also check the service type of the application service with which it communicates (in addition to checking the domain name as described above). This is a best practice because typically a client is not designed to communicate with all kinds of services using all possible application protocols, but instead is designed to communicate with one kind of service, such as websites, email services, VoIP services, or IM services. The service type is verified by means of an SRV-ID or a URI-ID. 6.5.1. SRV-ID The service name portion of an SRV-ID (e.g., "imaps") MUST be matched in a case-insensitive manner, in accordance with [DNS-SRV]. Note that the "_" character is prepended to the service identifier in DNS SRV records and in SRV-IDs (per [SRVNAME]), and thus does not need to be included in any comparison. 6.5.2. URI-ID The scheme name portion of a URI-ID (e.g., "sip") MUST be matched in a case-insensitive manner, in accordance with [URI]. Note that the ":" character is a separator between the scheme name and the rest of the URI, and thus does not need to be included in any comparison. ### I note that we should fix the S6.5 title to be.. "Matching the Application Service Type Portion" ..or simply.. "Matching the Application Service Type" thanks, =JeffH
- [certid] What security does SRV-ID add when DNS-I… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… =JeffH
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… =JeffH
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Paul Hoffman
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen
- Re: [certid] What security does SRV-ID add when D… Peter Saint-Andre
- Re: [certid] What security does SRV-ID add when D… Matt McCutchen