IETF Logo Mail Archive

[certid] user overrides (was: Re: Fwd: [apps-discuss] draft-saintandre-tls-server-id-check and user overrides)

Peter Saint-Andre <stpeter@stpeter.im> Thu, 10 June 2010 02:44 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E56A3A6831 for <certid@core3.amsl.com>; Wed, 9 Jun 2010 19:44:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.282
X-Spam-Level:
X-Spam-Status: No, score=-2.282 tagged_above=-999 required=5 tests=[AWL=0.317, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zSvujW5PhSB for <certid@core3.amsl.com>; Wed, 9 Jun 2010 19:44:00 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 64A9F3A6894 for <certid@ietf.org>; Wed, 9 Jun 2010 19:44:00 -0700 (PDT)
Received: from squire.local (dsl-228-47.dynamic-dsl.frii.net [216.17.228.47]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 4D4A640E5D; Wed, 9 Jun 2010 20:44:01 -0600 (MDT)
Message-ID: <4C10516B.1000400@stpeter.im>
Date: Wed, 09 Jun 2010 20:43:55 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
References: <4C104CC3.8070602@stpeter.im>
In-Reply-To: <4C104CC3.8070602@stpeter.im>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms090802040003040802070401"
Cc: "Thomson, Martin" <Martin.Thomson@andrew.com>
Subject: [certid] user overrides (was: Re: Fwd: [apps-discuss] draft-saintandre-tls-server-id-check and user overrides)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2010 02:44:02 -0000

On 6/9/10 8:24 PM, Peter Saint-Andre wrote:
> Forwarding from the apps-discuss@ietf.org list to maintain continuity.
> 
> -------- Original Message --------
> Subject: [apps-discuss] draft-saintandre-tls-server-id-check and user
> overrides
> Date: Wed, 9 Jun 2010 09:46:41 +0800
> From: Thomson, Martin <Martin.Thomson@andrew.com>
> To: apps-discuss@ietf.org <apps-discuss@ietf.org>rg>,	psaintan@cisco.com
> <psaintan@cisco.com>om>,	Jeff.Hodges@PayPal.com <Jeff.Hodges@PayPal.com>
> 
> In draft-saintandre-tls-server-id-check-05, Sections 3.6.2 and 3.6.3.1
> talk about user choice in interactively trusting a certificate.
> 
> What is missing is discussion on "why" users might need to (or want to)
> override the default behaviour.  Usage practices aren't obvious, so this
> seems like a good place to expand on this.

I'm not sure if this is the spec in which to describe why a user might
need or want to override the default server identity checking behavior.
One example of a spec that provides some guidance in this area is
http://www.w3.org/TR/2010/WD-wsc-ui-20100309/ but that doesn't cover
non-browser or non-web applications, and in any case this is a matter of
providing guidance to client developers regarding user interaction,
which is not exactly a matter of expertise in the IETF. However, I'm
open to accepting suggested text on this point.

> It would be good if this described what are acceptable types of
> certificate validation failure and what aren't.  Common reasons that are
> potentially valid are:
>  - not trusted (no CA)
>  - expired certificate
>  - wrong name
>  - revoked certificate

So far, with regard to client behavior this spec has been limited to the
narrow topic of checking server identity, not the broader topic of
certificate validation.

> Obviously, you aren't going to accept a certificate if the entity
> providing it could not prove that they possess the corresponding private
> key.
> 
> It might help to explain the significance of such an action - the user
> is trusting the entity that is able to proof possession of the private
> key that corresponds to the private key in the certificate.  All other
> data in the certificate becomes irrelevant.
> 
> --Martin
> 
> p.s. I don't know what happens in practice if a certificate is pinned
> before expiry and then subsequently expires.  Same goes for revocation.
>  I'd be interested in learning what people do.  Logic suggests that if a
> certificate is accepted despite violating one criterion, it does not
> imply continued acceptance when another criteria are subsequently violated.

Again, those are interesting and important issues, but somewhat outside
the very limited scope that we have set for ourselves.

As with other requests for broadening the scope of this spec, I'd like
to point out that we might very well write more specs on related topics
in the future, and perhaps eventually put them all together into a more
general BCP. However, given how contentious these issues can be, I think
we'd prefer to do this work in a piecemeal fashion to start with instead
of defining a grand unified theory from the beginning (because it's
unlikely that we would ever finish that task).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email