Re: [certid] Fwd: secdir review of

[Martin Rex <mrex@sap.com>]

Peter Saint-Andre wrote:
> 
> -- Page 22, sec 5.1:
>    When the connecting application is an interactive client, the source
>    domain name and service type MUST be provided by a human user (e.g.
>    when specifying the server portion of the user's account name on the
>    server or when explicitly configuring the client to connect to a
>    particular host or URI as in [SIP-LOC]) and MUST NOT be derived from
>    the user inputs in an automated fashion (e.g., a host name or domain
>    name discovered through DNS resolution of the source domain).  This
>    rule is important because only a match between the user inputs (in
>    the form of a reference identifier) and a presented identifier
>    enables the client to be sure that the certificate can legitimately
>    be used to secure the connection.
> 
> Does this mean that a client specifically designed for the "gumbo"
> service can't automatically use the service type "gumbo", without the
> user's involvement?

The current wording does not seem to adequately illustrate the
characteristics that are important here.

"MUST NOT be derived from the user inputs in an automated fashion"
could be very misleading.  The real problem is with using using
information from untrusted sources or performing transformations
of (originally user-supplied or user-confirmed) untrusted information
prior to matching the server endpoint.

There are situations where the implicit assertion of the
protocol "gumbo" is fully aligned with the intention of the user
and is safe to use for matching SRV-IDs. s/gumbo/xmpp/g  wash,rinse,repeat.

Clearly unsafe operations:

  - building a reference identifier from the result of a
    DNS CNAME lookup (the use of DNSSEC does not make this safe)

  - retrieving the URL to a HTTPS resource from a HTML page
    that was loaded through HTTP based on information provided by the user.



>
>                      Or that a client put out by example.net can't
> assume a host name of services.example.net in the absence of user
> input that says otherwise?

It depends.
It is OK when it is sufficiently aligned with the users intention
(although some users may not be fully aware of all technical details).


> 
> Further, it's entirely reasonable for a program to have a user enter
> something like "gmail", and have the client turn that into something
> like "mail.google.com", deriving it from the user's input in an
> automated fashion.  Do we really want to forbid that sort of thing?

That should be fine as long at it is sufficiently aligned with the
users intention and this translation is based purely on trusted sources
of information and protected access to these information sources.

This precludes both, DNS and DNSSEC lookups.

Sufficiently protected local configuration options or protected local
mappings should be fine. (meaning protected from changes without
explicit consent and awareness of the user).



-Martin