IETF Logo Mail Archive

Re: [certid] What security does SRV-ID add when DNS-ID will always match?

Matt McCutchen <matt@mattmccutchen.net> Wed, 30 March 2011 21:43 UTC

Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D41F3A6BD3 for <certid@core3.amsl.com>; Wed, 30 Mar 2011 14:43:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.546
X-Spam-Level:
X-Spam-Status: No, score=-2.546 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9uyLSyV8AvL for <certid@core3.amsl.com>; Wed, 30 Mar 2011 14:43:30 -0700 (PDT)
Received: from homiemail-a38.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by core3.amsl.com (Postfix) with ESMTP id E8E2B3A693D for <certid@ietf.org>; Wed, 30 Mar 2011 14:43:30 -0700 (PDT)
Received: from homiemail-a38.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTP id CF4A410AFAA; Wed, 30 Mar 2011 14:45:09 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=uXh9CAbxXKtLBc5AisDvzff3Pak49ududZ381IPsFwY QWUQbspeRayuMRnM+1uERhdnixlx+q0uBJRaEeBtRWkSlKuZ9HUaJ30p8DMSP+jq 8ixJiPPfffZ4wN9faKUF/JhH90OTbNHicmLrmm6yRjP3Vmt70x8bY8LPRgTkv+j4 =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=SwUro09fQzPL9beB9acZPKwjszk=; b=tU1SzpZjkk 5IrqUOGTkq9g1g2ub8x6ugdPH/Vbh00aLbOs9FnBz4wpt0p+whcHgAK81ZH7s1xV ujGejNvEcG4xJ0rupqCAkD3U5jpWeo2rkqRIsPMvM5y6y1owNfuKwwAMzIOG+IXJ L4Uy3014MBvIWbaeYt5yeeaCxr8D/EdDE=
Received: from [129.2.249.209] (ml2.student.umd.edu [129.2.249.209]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTPA id D582210AFB0; Wed, 30 Mar 2011 14:45:08 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <4D9399D9.2020302@stpeter.im>
References: <4D35EFE7.4060209@KingsMountain.com> <1300568731.1916.34.camel@localhost> <4D9334DB.3040909@stpeter.im> <1301516234.1917.27.camel@localhost> <4D9399D9.2020302@stpeter.im>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 30 Mar 2011 17:45:07 -0400
Message-ID: <1301521507.1917.56.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.3
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>, =JeffH <Jeff.Hodges@KingsMountain.com>
Subject: Re: [certid] What security does SRV-ID add when DNS-ID will always match?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 21:43:32 -0000

On Wed, 2011-03-30 at 23:00 +0200, Peter Saint-Andre wrote:
> I think that this is a matter of local policy -- a client could prefer
> SRV-IDs yet still accept DNS-IDs, and as far as I can see that behavior
> is not expressly forbidden by the spec.

"Prefer" is vague.  Specifically, I would like the client to accept a
DNS-ID if and only if the certificate contains no SRV-IDs.  How is this
accommodated within the framework of the spec?  Clearly the reference
identifier must contain a DNS-ID.  Somehow, this DNS-ID must be
considered to match the presented DNS-ID if and only if the certificate
contains no SRV-IDs.

Section 6.1 says:

   4.  When checking a reference identifier against a presented
       identifier, the client matches the source domain of the
       identifiers and, optionally, their application service type.

Is it within the meaning of "optionally" for the client to elect to
match the service type (thereby preventing two DNS-IDs from matching) if
and only if the certificate contains at least one SRV-ID?  Section 6.5
only describes service type matching in the context of identifiers that
contain service type information.  Is it legitimate to "match the
service type" solely as a means of preventing identifiers that do not
contain service type information from being used?

> However, in order to explicitly specify that the client's behavior would
> be modified based on what the server presents, we would have needed to
> change the entire processing model from what I call the inclusion
> approach (if there is an identifier type that you might want to check
> then you simply include it in the list of reference identifiers) to what
> I call the conditional approach (the client's processing is conditioned
> on the presented identifiers that it finds in the server's certificate).
> Although Jeff and I considered making that change, the spec has always
> been based on the inclusion approach, so modifying it to use the
> conditional approach would have necessitated a very significant rewrite
> at this late stage in the lifecycle.

Right.

> Jeff and I, and our responsible AD,
> were simply not comfortable with performing such major surgery during
> AUTH48.

Sure.  But the alternative is to release the spec with the issue
unresolved and potentially have to later deal with a mess of SRV-ID
clients that achieve suboptimal interoperability and/or security.  Do
you judge that the first evil is lesser?

Obviously I've put you in an awkward situation, which I regret.  That
said, I don't think I'm wrong to frame the decision this way.

-- 
Matt

v2.23.0 | Report a Bug | By Email