Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
"Jim Schaad" <ietf@augustcellars.com> Wed, 29 September 2010 22:10 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id AD1993A69B7 for <certid@core3.amsl.com>;
Wed, 29 Sep 2010 15:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oa3DXXNQHWau for
<certid@core3.amsl.com>; Wed, 29 Sep 2010 15:10:44 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by
core3.amsl.com (Postfix) with ESMTP id 476E93A6A29 for <certid@ietf.org>;
Wed, 29 Sep 2010 15:10:42 -0700 (PDT)
Received: from TITUS (unknown [207.202.179.27]) (using TLSv1 with cipher
AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated
sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTP id
554E06A4FE; Wed, 29 Sep 2010 15:11:26 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'=JeffH'" <Jeff.Hodges@KingsMountain.com>,
"'IETF cert-based identity'" <certid@ietf.org>
References: <4CA3AF50.6050101@KingsMountain.com>
In-Reply-To: <4CA3AF50.6050101@KingsMountain.com>
Date: Wed, 29 Sep 2010 15:19:24 -0700
Message-ID: <006801cb6024$6049f5a0$20dde0e0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGpqtf1DBfzG3HdU1/o9iR7FXwOz5Ns8WLw
Content-Language: en-us
Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2010 22:10:50 -0000
> -----Original Message----- > From: certid-bounces@ietf.org [mailto:certid-bounces@ietf.org] On Behalf Of > =JeffH > Sent: Wednesday, September 29, 2010 2:28 PM > To: IETF cert-based identity > Subject: [certid] section 4.6 rewrite (aka: Bad certificate handling) > > I and PeterSA took a hard look at section "4.6 Outcome" (aka: Bad certificate > handling) and indeed its language needed some semi-major rewriting, which > we've done. The entire new section "4.6 Outcome" is below. > > comments? > > thanks, > > =JeffH > > ### > > 4.6. Outcome > > The outcome of the checking procedure is one of the following cases. > > 4.6.1. Case #1: Match Found > > If the client has found a presented identifier that matches a > reference identifier, matching has succeeded. In this case, the > client MUST use the matched reference identifier as the validated > identity of the server. > > 4.6.2. Case #2: No Match Found, Cached Certificate > > If the client does not find a presented identifier matching any of > the reference identifiers, and (a) a human user has previously > accepted and cached a certificate for this application service during > a previous interaction with the service or (b) a certificate has been > cached via configuration settings, then the client MUST verify that > the presented certificate matches the cached certificate. If the > presented certificate does not match the cached certificate then the > client MUST proceed as described under Section 4.6.4. There was one case in the original text here that I was expecting to be kept. This was the case of the chain of certificates being changed from when it was originally presented. Given the suggestion that the chain is shown for advanced users (see 4.6.4) I am wondering about the fact that we are no longer looking at anything more that the terminal certificate at this point. > > 4.6.3. Case #3: No Match Found, No Cached Certificate > > If the client does not find a presented identifier matching any of > the reference identifiers, and the client has not previously cached a > certificate for this application service based on user acceptance or > configuration, then the client MUST proceed as described under > Section 4.6.4. > > 4.6.4. Fallback > > If the client is an interactive client that is directly controlled by > a human user, then it SHOULD inform the user of the identity mismatch > and automatically terminate the connection with a bad certificate > error; this behavior is preferable because it prevents users from > inadvertently bypassing security protections in hostile situations. > > Security Note: Some interactive clients give advanced users the > option of proceeding with acceptance and caching of the presented > certificate despite an identity mismatch. Although this behavior > can be appropriate in certain specialized circumstances, in > general it ought to be exposed only to advanced users. Even then > it needs to be handled with extreme caution, for example by first > encouraging even an advanced user to terminate the connection and, > if the advanced user chooses to proceed anyway, by forcing the > user to view the entire certification path and only then allowing > the user to accept the certificate (on a temporary or permanent > basis, at the user's option). > > Otherwise, if the client is an automated application not directly > controlled by a human user, then it SHOULD terminate the connection > with a bad certificate error and log the error appropriately. An > automated application MAY provide a configuration setting that > disables this behavior, but MUST enable the behavior by default. I would like to see the MAY and MUST here be lower cased. They are implied by the SHOULD in the preceding sentence and do not need to be re-iterated. > > ### > > > > > _______________________________________________ > certid mailing list > certid@ietf.org > https://www.ietf.org/mailman/listinfo/certid
- [certid] section 4.6 rewrite (aka: Bad certificat… =JeffH
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Matt McCutchen
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Matt McCutchen
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… =JeffH
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre