Re: [certid] Second Last Call: draft-saintandre-tls-server-id-check (...) to BCP
Peter Saint-Andre <stpeter@stpeter.im> Wed, 08 December 2010 21:42 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F3193A687D; Wed, 8 Dec 2010 13:42:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.394
X-Spam-Level:
X-Spam-Status: No, score=-103.394 tagged_above=-999 required=5 tests=[AWL=1.205, BAYES_00=-2.599, GB_I_LETTER=-2, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBMHKYl3TDbN; Wed, 8 Dec 2010 13:42:53 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id A15AD3A686B; Wed, 8 Dec 2010 13:42:52 -0800 (PST)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 99A264009B; Wed, 8 Dec 2010 14:56:12 -0700 (MST)
Message-ID: <4CFFFC32.2000806@stpeter.im>
Date: Wed, 08 Dec 2010 14:44:18 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4CFFD91A.2060808@KingsMountain.com>
In-Reply-To: <4CFFD91A.2060808@KingsMountain.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050104060209080400010102"
Cc: IETF cert-based identity <certid@ietf.org>, IETF Discussion List <ietf@ietf.org>, draft-saintandre-tls-server-id-check.all@tools.ietf.org
Subject: Re: [certid] Second Last Call: draft-saintandre-tls-server-id-check (...) to BCP
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 21:42:56 -0000
On 12/8/10 12:14 PM, =JeffH wrote: > [ adding certid@ list ] > > Thanks for the review SM. > >> In Section 2.2: >> >> 'A "traditional domain name", i.e., a fully-qualified domain name >> or "FQDN" (see [DNS-CONCEPTS]) all of whose labels are "LDH >> labels" as defined in [IDNA-DEFS].' >> >> It would be better to reference RFC 1123 for LDH labels instead of >> RFC 5890 unless the authors would like to adopt a terminology that is >> specific to IDNA. > > I looked into this in detail earlier this year -- it was discussed on > ietf@ (during the initial IETF LC for this spec), and this particular > issue resolution was summarized here (by John Klensin).. > > Re: Last Call: draft-saintandre-tls-server-id-check > http://www.ietf.org/mail-archive/web/ietf/current/msg62601.html > > In brief summary, RFCs {1034,1035,1123,2181} do not define > "letter-digit-hyphen" DNS name labels in a concisely referenceable > fashion, nor particularly clearly. > > The IDNA specs have done the wider DNS-community a service by doing so, > and at present the fashion in which "traditional domain name" is defined > and cited is the best we can do. Given that IDNs are a deployed reality, > every (new or updated) spec that discusses domain names going forward is > going to need to reference the IDNA specs in some fashion, and probably > should simply use the LDH-Label, A-Label, and U-Label nomenclature. (IMV) I agree with that assessment. >> In Section 3.1: >> >> "Unless a profile of this specification allows continued support >> for the wildcard character '*', the fully-qualified DNS domain >> name portion of a presented identifier SHOULD NOT contain the >> wildcard character, whether as the complete left-most label >> within the identifier (following the definition of "label" from >> [DNS], e.g., "*.example.com") or as a fragment thereof (e.g., >> *oo.example.com, f*o.example.com, or foo*.example.com)." >> >> If the presented identifier is a fully-qualified DNS domain name (I >> assume that means FQDN), the left-most label cannot be a wildcard >> character according to LDH rules. I suggest rewriting that as: >> >> Unless a profile of this specification allows continued support >> for the wildcard character '*', the domain name portion of >> a presented identifier SHOULD NOT contain the wildcard character >> (e.g., "*.example.com") or as a fragment thereof (e.g., >> *oo.example.com, f*o.example.com, or foo*.example.com). > > while I agree with your subtle substitution of.. > > "fully-qualified DNS domain name portion" > > ..with.. > > "domain name portion" Done. > ..however, I disagree with your further simplification of that paragraph > because we feel we need to supply the more detailed context. > > > >> In Section 4.2.1: >> >> "The client might need to extract the source domain and service type >> from the input(s) it has received. The extracted data MUST include >> only information that can be securely parsed out of the inputs (e.g., >> extracting the fully-qualified DNS domain name from the authority >> component of a URI or extracting the service type from the scheme of >> a URI) or information for which the extraction is performed in a >> manner that is not subject to subversion by network attackers (e.g., >> pulling the data from a delegated domain that is explicitly >> established via client or system configuration, resolving the data >> via [DNSSEC], or obtaining the data from a third-party domain mapping >> service in which a human user has explicitly placed trust and with >> which the client communicates over a connection that provides both >> mutual authentication and integrity checking)." >> >> I read part of the above as meaning that data can only be extracted >> from DNS if the data has been resolved via DNSSEC. Is that the intent? > > No, that is not the intent. We've further refined that paragraph as a > result of a concurrent discussion with Ben Campbell (on certid@) and > have this present working text.. > > The client might need to extract the source domain and service type > from the input(s) it has received. The extracted data MUST include > only information that can be securely parsed out of the inputs (e.g., > extracting the fully-qualified DNS domain name from the "authority" > component of a URI or extracting the service type from the scheme of > a URI) or information for which the extraction is performed in a > manner that is not subject to subversion by network attackers (e.g., > pulling the data from a delegated domain that is explicitly > established via client or system configuration, resolving the data > via [DNSSEC], or obtaining the data from a third-party domain mapping > service in which a human user has explicitly placed trust and with > which the client communicates over a connection that provides both > mutual authentication and integrity checking). These considerations > apply only to extraction of the source domain from the inputs; > naturally, if the inputs themselves are invalid or corrupt (e.g., a > user has clicked a link provided by a malicious entity in a phishing > attack), then the client might end up communicating with an > unexpected application service. > > > >> Section 4.3 discusses about how to seek a match against the list of >> reference identifiers. I found the thread at >> http://www.ietf.org/mail-archive/web/certid/current/msg00318.html > informative. >> >> In Section 4.4.3: >> >> "A client employing this specification's rules MAY match the reference >> identifier against a presented identifier whose DNS domain name >> portion contains the wildcard character '*' as part or all of a label >> (following the definition of "label" from [DNS])" >> >> According to the definition of label in RFC 1035, the wildcard >> character cannot be part of a label. I suggest removing the last >> part of that sentence. > > You mean removing the parenthetical "(following the definition of > "label" from [DNS])", yes? > > In reviewing RFC 1035 I see your concern, tho we'd like to reference a > description of "label". I note that RFC 1034 [S3.1] seems to > appropriately supply this, so I propose we keep the parenthetical but > alter it to be.. > > (following the description of labels and domain names in [DNS-CONCEPTS]) Done. >> FWIW, RFC 4592 updates the wildcard >> definition in RFC 1034 and uses the term "asterisk label". > > Yes, but that definition (and term) appears to be specific to underlying > DNS internals, not to (pseudo) domain names as wielded (or "presented" > (eg in certs)) in other protocols. > > >> Was the comment about the security note ( >> http://www.ietf.org/mail-archive/web/certid/current/msg00427.html ) >> in Section 4.6.4 addressed? > > Yes, we believe so. > > > thanks again for your review, Indeed. Peter -- Peter Saint-Andre https://stpeter.im/