IETF Logo Mail Archive

[certid] What security does SRV-ID add when DNS-ID will always match?

Matt McCutchen <matt@mattmccutchen.net> Mon, 17 January 2011 19:10 UTC

Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90AAF3A6EE1 for <certid@core3.amsl.com>; Mon, 17 Jan 2011 11:10:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.756
X-Spam-Level:
X-Spam-Status: No, score=-1.756 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NmAUqKBWxO09 for <certid@core3.amsl.com>; Mon, 17 Jan 2011 11:10:31 -0800 (PST)
Received: from homiemail-a61.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by core3.amsl.com (Postfix) with ESMTP id 9C57C3A6E5C for <certid@ietf.org>; Mon, 17 Jan 2011 11:10:31 -0800 (PST)
Received: from homiemail-a61.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTP id 9C51E57806C for <certid@ietf.org>; Mon, 17 Jan 2011 11:13:06 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:content-type:date:message-id:mime-version: content-transfer-encoding; q=dns; s=mattmccutchen.net; b=ixtBoeO KlYb9/ngmWRQujyWuM3qBmAwXz2C16NsehAqR/bvgdp+0dMuCY45zZ8UAR1I0lz4 ePDgfG7niO3gKS2g+whhSh+HmDDNhw0MK/XgfRp6ZCSVO1N6DBsUqPUjPf2PdSpO O3qQ/rJDReOjsbxM6rYe69gCG0TYE1koLNBk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:content-type:date:message-id:mime-version: content-transfer-encoding; s=mattmccutchen.net; bh=VQ762X2XpV45G ujQ3YT6Aoo7ZS0=; b=BfWnIl2OGt6W2OnoBTt4vW4TsK0hSC3JH48Fz2lJu2hD+ 0ytjJhZO/WrvKntONYPu9IPKYgEa45TM/dRHq9hynmD0BuhGP230WeGbJDnimTk9 wMAle39iPMtcd1znlg1VP/ATrRvn5j5KgIbo2M4jRXcVpapbfpm/Ydn3IZUgMw=
Received: from [192.168.1.40] (pool-74-96-47-53.washdc.east.verizon.net [74.96.47.53]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTPA id 2D64A578073 for <certid@ietf.org>; Mon, 17 Jan 2011 11:13:06 -0800 (PST)
From: Matt McCutchen <matt@mattmccutchen.net>
To: certid@ietf.org
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 17 Jan 2011 14:13:04 -0500
Message-ID: <1295291584.2221.18.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
Subject: [certid] What security does SRV-ID add when DNS-ID will always match?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2011 19:10:32 -0000

The use of SRV-IDs is supposed to ensure that the client connects to the
service type it wanted from among the services available at the DNS name
it wanted.  However, given that...

- The client's list of reference identifiers MUST include a DNS-ID
(section 6.2.10)
- The examples of server certificates that include a SRV-ID (section
4.2) also include a DNS-ID
- The server ID check succeeds if any reference identifier matches any
presented identifier (section 6.3)

it would appear that the DNS-IDs will always match, making the service
types in the SRV-IDs irrelevant.  Am I right?

-- 
Matt

v2.23.0 | Report a Bug | By Email