Re: [certid] Second Last Call: draft-saintandre-tls-server-id-check (...) to BCP
=JeffH <Jeff.Hodges@KingsMountain.com> Sat, 22 January 2011 01:05 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 368EB3A6877 for <certid@core3.amsl.com>; Fri, 21 Jan 2011 17:05:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.231
X-Spam-Level:
X-Spam-Status: No, score=-102.231 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llMa-yaX+Pqm for <certid@core3.amsl.com>; Fri, 21 Jan 2011 17:05:01 -0800 (PST)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 093A23A685D for <certid@ietf.org>; Fri, 21 Jan 2011 17:05:01 -0800 (PST)
Received: (qmail 6615 invoked by uid 0); 22 Jan 2011 01:07:48 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 22 Jan 2011 01:07:48 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=bTIP8HcmwQNNh98XAeamVIQKTWGkBbkw0Q/+rg8bLlXFG1jR8grDMcrlMiwzh7TsWQHE4pVtAfYC+Nm9Jz3OqdovxirDAXTTp8F8SbCpIh6GUvawKzWVKFwQwtadsB1i;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PgRxD-0001lc-R5; Fri, 21 Jan 2011 18:07:48 -0700
Message-ID: <4D3A2DE2.4050304@KingsMountain.com>
Date: Fri, 21 Jan 2011 17:07:46 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: SM <sm@resistor.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] Second Last Call: draft-saintandre-tls-server-id-check (...) to BCP
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jan 2011 01:05:02 -0000
Hi SM, apologies for latency in replying.. >>You mean removing the parenthetical "(following the definition of >>"label" from [DNS])", yes? >> >>In reviewing RFC 1035 I see your concern, tho we'd like to reference >>a description of "label". I note that RFC 1034 [S3.1] seems to >>appropriately supply this, so I propose we keep the parenthetical >>but alter it to be.. >> >> (following the description of labels and domain names in [DNS-CONCEPTS]) > > That's fine to me. k > >>Yes, but that definition (and term) appears to be specific to >>underlying DNS internals, not to (pseudo) domain names as wielded >>(or "presented" (eg in certs)) in other protocols. > > This brings us to the question of the DNS specific usage of "domain > names" and when the term is used in an application context. > > For example, is the left-most part in "foo*.example.com" ( > draft-saintandre-tls-server-id-check-12, Section 5.2) acceptable as a label? No, "foo*" isn't a legit dns label per se. However, it's only used in "presented" domain names in various contexts -- certs being one -- and intended for matching within applications, not for actual dereferencing via the DNS. > I'll react to some comments from Cullen Jennings. > > At 23:17 15-12-10, Cullen Jennings wrote: >>So let me start with I think there is great information in here and >>I think it should be published as a standards track RFC however I do >>think there are some issues with the relation with this draft and >>the realities of what would help improve security in deployment of >>SIP, HTTP, IMAP, XMPP etc. > > The information in draft-saintandre-tls-server-id-check is > helpful. It's been a mouthful to comment on the draft as it requires > the reading of several referenced documents first. This in itself > gives us an idea of the breath this draft tries to cover. > >>process review. Next this draft contradicts the procedures in >>existing protocols and says that it does not apply to the existing >>protocols but that it would take precedence over any future updates >>of existing protocols that use TLS within the scope specified here. I > > That begs the question about whether this draft should be a BCP. I > would feel more comfortable if such a document is carefully reviewed > by people from the different application groups it touches on as it > attempts to shape the future. This is not to say that there hasn't > been enough discussion about the draft or that it did not get > adequate socialization. If the authors are of the opinion that there > has been that breath of review, I am fine with that. above is no longer an issue as the draft is now approved as a proposed std. thx for the input on the issue in any case. > >>In section 3.2, in the imap example, you are saying that if I >>configure my imap server to mail.example.com and it presents a >>certificate with a DNS-ID of example.com that this is OK. That does >>not sound OK to me but I don't know how IMAP works. In the SIP example, the > > Consider an email address of "user@example.com". The IMAP service is > discovered by the MUA by doing a DNS SRV lookup on _imaps.example.com > ( draft-daboo-srv-email ) and the target is mail.example.net, i.e > that's where the IMAP server is running. The certificate provides a > SRV-ID of "_imaps.example.com" and a DNS-ID of "example.com". we've incorp'd such an example in the draft, thx. > > BTW, the reference to draft-ietf-tls-rfc4366-bis could be normative > for the reader to understand SNI and not rely on the workaround for > multiple identifiers. we don't feel its approp at this time to make that a normative reference, for at least the reasons given in the draft in S7.4. thanks again for your review, =JeffH