[dane] Comments on draft-ietf-dane-smime-04
"Jim Schaad" <ietf@augustcellars.com> Fri, 07 February 2014 04:03 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ABB71A034B for <dane@ietfa.amsl.com>; Thu, 6 Feb 2014 20:03:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llirba1B1K7V for <dane@ietfa.amsl.com>; Thu, 6 Feb 2014 20:03:16 -0800 (PST)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id AA4271A0346 for <dane@ietf.org>; Thu, 6 Feb 2014 20:03:15 -0800 (PST)
Received: from Philemon (50-39-223-207.bvtn.or.frontiernet.net [50.39.223.207]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 754382CA51; Thu, 6 Feb 2014 20:03:14 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: draft-ietf-dane-smime@tools.ietf.org
Date: Thu, 06 Feb 2014 20:01:34 -0800
Message-ID: <07ba01cf23b9$4b4e0540$e1ea0fc0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac8jpUDvnDpFqfeXTuqw0g8WYmGXPw==
Content-Language: en-us
Cc: dane@ietf.org
Subject: [dane] Comments on draft-ietf-dane-smime-04
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 04:03:18 -0000
1. Section 1, para 1: The first two sentences imply that a single certificate is going to be present in a message. While this is true in a large number of cases, there are many times in which more than one certificate may be present. These include having different signing an encrypting keys or intermediate certificates for chain building. I would request that the first two sentences be modified to make certificate be plural. s/a certificate. This certificate assists/certificates. These certificates assist/ 2. Section 1, para 1: The last sentence is missing a step in the description of the process of validating that certificate is bound to a purported sender. The current text just looks at the validation process and does not talk about what is necessary to check the binding itself. In most cases, but not all, this involves looking for the senders email address in the certificate itself. (In other cases some type of external database would be required or one could say that the sender and the signer may not be the same person even though the signature itself validates.) One thing about this document that I don't remember having seen on the list is the question of doing the binding check between the senders address and the contents of a certificate. Is it going to be considered sufficient if one does the DNS look up for the certificates? Is it only a sufficient check for some types of SMIMEA records but not for others? I.e. EE certificate vs CA or TA certificate. The document needs to distinguish between the steps of validating and trusting a certificate and doing the binding between an email address and a certificate. While it is possible to both in some cases, in others these need to be distinct steps. 3. Section 2, para 1: First sentence - see the last item. It may be not an EE certificate that is being associated. 4. Section 3, step 1: It would be nice to be explicit that you are doing a UTF8 Unicode string to octet string transformation before doing the Base32 conversion. The referenced document says that this is the case for SMTP submission in one mode, but it is not clear that the SMTP submission format is what we are doing here. Being explicit would be helpful. There are two general problems that people are looking to solve with this document. A) I have an email address and a certificate, I want to validate the certificate and check the association between the certificate and the email address. B) I have an email address, I need to find a certificate. At present I believe that this document is addressing problem A and not problem B. It would be good to state that problem B is out of scope in the introduction if this is the case. If problem B is what the document is trying to solve, then there are a number of issues that need to be addressed: a) The set of certificate usages needs to be restricted to 1 and 3 so that one will get a certificate about the EE b) The set of certificates selectors needs to be restricted to 0 so that the certificate is always present c) The matching type needs to be restricted to 0 so that the certificate is always present. A mention, but problem not a solution, to the case folding problem for local parts in email addresses needs to stated so that people understand it exists. A quote from RFC 6530 is It has long been the case that the email syntax permits choices about mailbox names that are unwise in practice, if one actually intends the mailboxes to be accessible to a broad range of senders. The most often cited examples involve the use of case-sensitivity and tricky quoting of embedded characters in mailbox local parts. These deliberately unusual constructions are permitted by the protocols, and servers are expected to support them. Although they can provide value in special cases, taking advantage of them is almost always bad practice unless the intent is to create some form of security by obscurity. Which would seem to me to say, yes this is a legal thing to do. However if you do it you should be taken back of the wood shed and whipped. Thus although it is legal it is highly unadvisable. Thus one does case folding in the look up, one may be get a wrong security answer so one should not do it even if it is tempting. I.e. - this at a minimum is a security consideration because people are going to try and do it if we don't tell them not to do it and why they should not do it.
- [dane] Comments on draft-ietf-dane-smime-04 Jim Schaad
- Re: [dane] Comments on draft-ietf-dane-smime-04 Osterweil, Eric
- Re: [dane] Comments on draft-ietf-dane-smime-04 James Cloos
- Re: [dane] Comments on draft-ietf-dane-smime-04 Jim Schaad
- Re: [dane] Comments on draft-ietf-dane-smime-04 Stephen Kent
- Re: [dane] Comments on draft-ietf-dane-smime-04 Paul Hoffman