Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
Peter Saint-Andre <stpeter@stpeter.im> Wed, 08 December 2010 20:14 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BDBE3A6886; Wed, 8 Dec 2010 12:14:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.257
X-Spam-Level:
X-Spam-Status: No, score=-102.257 tagged_above=-999 required=5 tests=[AWL=0.342, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WPk6YHE7fT-c; Wed, 8 Dec 2010 12:14:40 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 3029A3A6870; Wed, 8 Dec 2010 12:14:40 -0800 (PST)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id B85374009B; Wed, 8 Dec 2010 13:27:59 -0700 (MST)
Message-ID: <4CFFE784.20302@stpeter.im>
Date: Wed, 08 Dec 2010 13:16:04 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4CFFE19F.1060603@KingsMountain.com>
In-Reply-To: <4CFFE19F.1060603@KingsMountain.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010302080307000801050200"
Cc: Ben Campbell <ben@nostrum.com>, General Area Review Team <gen-art@ietf.org>, certid@ietf.org, draft-saintandre-tls-server-id-check.all@tools.ietf.org
Subject: Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 20:14:41 -0000
On 12/8/10 12:50 PM, =JeffH wrote: > <snip/> > >> stpete sez.. >>> In Section 4.2.1 we say: >>> >>> The inputs used by the client to construct its list of reference >>> identifiers might be a URI that a user has typed into an interface >>> (e.g., an HTTPS URL for a web site), configured account information >>> (e.g., the domain name of a particular host or URI used for >>> retrieving information or connecting to a network, which might be >>> different from the server portion of the user's account name), a >>> hyperlink in a web page that triggers a browser to retrieve a media >>> object or script, or some other combination of information that can >>> yield a source domain and a service type. >>> >>> The client might need to extract the source domain and service type >>> from the input(s) it has received. The extracted data MUST include >>> only information that can be securely parsed out of the inputs (e.g., >>> extracting the fully-qualified DNS domain name from the "authority" >>> component of a URI or extracting the service type from the scheme of > ^^^^^^^^^^ > > I suggest we change this to "deriving". After an IM chat with Jeff, I agree. >>> a URI) or information for which the extraction is performed in a >>> manner that is not subject to subversion by network attackers (e.g., >>> pulling the data from a delegated domain that is explicitly >>> established via client or system configuration, resolving the data >>> via [DNSSEC], or obtaining the data from a third-party domain mapping >>> service in which a human user has explicitly placed trust and with >>> which the client communicates over a connection that provides both >>> mutual authentication and integrity checking). These considerations >>> apply only to extraction of the source domain from the inputs; >>> naturally, if the inputs themselves are invalid or corrupt (e.g., a >>> user has clicked a link provided by a malicious entity in a phishing >>> attack), then the client might end up communicating with an >>> unexpected application service. >>> >>> Do you feel we need to say more about how an application client >>> determines the source domain? Is there something special about SIP AORs >>> that this document does not cover (but should be covering)? > > > BenC replies.. >> > <snip/> >> I am suggesting a soup to nuts example of how a real world input such as >> that gets converted to a resulting URI reference identity. > > > So after the second para quoted above (from [S4.2.1]) how 'bout we add > this.. > > > For example, given an input URI of > "sip:alice:pswd@example.net;transport=tcp?subject=project%20x&priority=urgent", > the client derives the service type "sip" from the scheme, and the > domain name "example.net" from the authority component. Looks good. I love gnarly URIs. :) > Also, given an > input URI of "im:alice@example.net", the derived service type is "sip" > (since the "im" scheme is defined as an abstract scheme in the SIP > context by [SIP-IM] (RFC 3428)), and the domain name is again > "example.net". Well, the im: and pres: URIs can result in a derived service type of "xmpp", too. It depends on what a service has deployed... http://tools.ietf.org/html/rfc3860 http://www.iana.org/assignments/im-srv-labels/im-srv-labels.xhtml Peter -- Peter Saint-Andre https://stpeter.im/
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- [certid] Gen-ART LC Review of draft-saintandre-tl… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Jeffrey A. Williams
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Paul Hoffman
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH