Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
Ben Campbell <ben@nostrum.com> Wed, 08 December 2010 21:32 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C25BE3A6988; Wed, 8 Dec 2010 13:32:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.372
X-Spam-Level:
X-Spam-Status: No, score=-102.372 tagged_above=-999 required=5 tests=[AWL=0.228, BAYES_00=-2.599, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9SYAP+qeWhTt; Wed, 8 Dec 2010 13:32:41 -0800 (PST)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 6275C3A687D; Wed, 8 Dec 2010 13:32:41 -0800 (PST)
Received: from dn3-174.estacado.net (vicuna-alt.estacado.net [75.53.54.121]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id oB8LY7g8076334 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 8 Dec 2010 15:34:08 -0600 (CST) (envelope-from ben@nostrum.com)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <4CFFE19F.1060603@KingsMountain.com>
Date: Wed, 08 Dec 2010 15:34:06 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE7DDF5C-6C0B-46F8-8815-BAAC3B788958@nostrum.com>
References: <4CFFE19F.1060603@KingsMountain.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
X-Mailer: Apple Mail (2.1082)
Received-SPF: pass (nostrum.com: 75.53.54.121 is authenticated by a trusted mechanism)
Cc: draft-saintandre-tls-server-id-check.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>, certid@ietf.org
Subject: Re: [certid] [Gen-art] Gen-ART LC Review of draft-saintandre-tls-server-id-check-11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 21:32:42 -0000
On Dec 8, 2010, at 1:50 PM, =JeffH wrote: > <snip/> > > > stpete sez.. > >> In Section 4.2.1 we say: > >> > >> The inputs used by the client to construct its list of reference > >> identifiers might be a URI that a user has typed into an interface > >> (e.g., an HTTPS URL for a web site), configured account information > >> (e.g., the domain name of a particular host or URI used for > >> retrieving information or connecting to a network, which might be > >> different from the server portion of the user's account name), a > >> hyperlink in a web page that triggers a browser to retrieve a media > >> object or script, or some other combination of information that can > >> yield a source domain and a service type. > >> > >> The client might need to extract the source domain and service type > >> from the input(s) it has received. The extracted data MUST include > >> only information that can be securely parsed out of the inputs (e.g., > >> extracting the fully-qualified DNS domain name from the "authority" > >> component of a URI or extracting the service type from the scheme of > ^^^^^^^^^^ > > I suggest we change this to "deriving". > > WFM > >> a URI) or information for which the extraction is performed in a > >> manner that is not subject to subversion by network attackers (e.g., > >> pulling the data from a delegated domain that is explicitly > >> established via client or system configuration, resolving the data > >> via [DNSSEC], or obtaining the data from a third-party domain mapping > >> service in which a human user has explicitly placed trust and with > >> which the client communicates over a connection that provides both > >> mutual authentication and integrity checking). These considerations > >> apply only to extraction of the source domain from the inputs; > >> naturally, if the inputs themselves are invalid or corrupt (e.g., a > >> user has clicked a link provided by a malicious entity in a phishing > >> attack), then the client might end up communicating with an > >> unexpected application service. > >> > >> Do you feel we need to say more about how an application client > >> determines the source domain? Is there something special about SIP AORs > >> that this document does not cover (but should be covering)? > > > BenC replies.. > > > <snip/> > > I am suggesting a soup to nuts example of how a real world input such as > > that gets converted to a resulting URI reference identity. > > > So after the second para quoted above (from [S4.2.1]) how 'bout we add this.. > > > For example, given an input URI of "sip:alice:pswd@example.net;transport=tcp?subject=project%20x&priority=urgent", the client derives the service type "sip" from the scheme, and the domain name "example.net" from the authority component. Also, given an input URI of "im:alice@example.net", the derived service type is "sip" (since the "im" scheme is defined as an abstract scheme in the SIP context by [SIP-IM] (RFC 3428)), and the domain name is again "example.net". That's pretty much what I had in mind, although the URI is more complex that you are likely to see as user input. just "sip:alice@example.net" would probably get the idea across. > > > ? > > =JeffH > > >
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- [certid] Gen-ART LC Review of draft-saintandre-tl… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Jeffrey A. Williams
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Paul Hoffman
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH
- Re: [certid] Gen-ART LC Review of draft-saintandr… Peter Saint-Andre
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Ben Campbell
- Re: [certid] [Gen-art] Gen-ART LC Review of draft… Peter Saint-Andre
- Re: [certid] Gen-ART LC Review of draft-saintandr… =JeffH