IETF Logo Mail Archive

Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11

Ben Campbell <ben@nostrum.com> Wed, 08 December 2010 00:13 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEB663A6881; Tue, 7 Dec 2010 16:13:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.317
X-Spam-Level:
X-Spam-Status: No, score=-102.317 tagged_above=-999 required=5 tests=[AWL=0.283, BAYES_00=-2.599, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZmKIowdoCIM; Tue, 7 Dec 2010 16:13:17 -0800 (PST)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 46E113A687A; Tue, 7 Dec 2010 16:13:17 -0800 (PST)
Received: from [10.0.1.6] (cpe-76-183-178-106.tx.res.rr.com [76.183.178.106]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id oB80EfQ2072860 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 7 Dec 2010 18:14:42 -0600 (CST) (envelope-from ben@nostrum.com)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <4CFE8B33.8020805@stpeter.im>
Date: Tue, 07 Dec 2010 18:14:41 -0600
Content-Transfer-Encoding: 7bit
Message-Id: <DFCE5842-8B92-4C67-A21F-0F2A56F68C24@nostrum.com>
References: <p06240832c922cb7e04d9@[10.20.30.151]> <4CFE8B33.8020805@stpeter.im>
To: Peter Saint-Andre <stpeter@stpeter.im>
X-Mailer: Apple Mail (2.1082)
Received-SPF: pass (nostrum.com: 76.183.178.106 is authenticated by a trusted mechanism)
X-Mailman-Approved-At: Tue, 07 Dec 2010 17:46:17 -0800
Cc: draft-saintandre-tls-server-id-check.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>, certid@ietf.org
Subject: Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 00:13:19 -0000

WFM, thanks.

On Dec 7, 2010, at 1:29 PM, Peter Saint-Andre wrote:

> Regarding NAPTR...
> 
> On 12/6/10 10:19 AM, Ben Campbell wrote:
> 
>> -- 1.4.2, 2nd bullet item: "We also do not address identifiers
>> derived from Naming Authority Pointer (NAPTR) DNS resource records
>> [NAPTR] and related technologies such as [S-NAPTR], since such
>> identifiers cannot be validated in a trusted manner in the absence of
>> [DNSSEC]."
>> 
>> Does that mean validation of a source domain that will be used to
>> construct a NAPTR request is out of scope, or just validation against
>> the result of a NAPTR query? (I note SIP may require the first).
> 
> Ben, the current text in the I-D is lame. The points we were trying to
> make, but poorly, are that (1) there are no identifiers for NAPTR
> records, as there are for SRV records, and (2) from the perspective of
> this spec it doesn't really matter how you get from the source domain to
> the IP address you use for communication (perhaps you do the A/AAAA
> one-step, the SRV two-step, or the NAPTR three-step, but that's
> immaterial for the purpose of identity checking).
> 
> Point #1 is close to obvious, so I suggest that we remove the offending
> sentence and add this paragraph near the end of Section 1.4.2:
> 
>   Although the process whereby a client resolves the DNS domain name of
>   an application service can involve several steps (e.g., this is true
>   of resolutions that depend on DNS SRV resource records, Naming
>   Authority Pointer (NAPTR) DNS resource records [NAPTR], and related
>   technologies such as [S-NAPTR]), for our purposes we care only about
>   the fact that the client needs to verify the identity of the entity
>   with which it communicates as a result of the resolution process.
>   The resolution process itself is out of scope.
> 
> Peter
> 
> -- 
> Peter Saint-Andre
> https://stpeter.im/
> 
> 
> 
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email