IETF Logo Mail Archive

Re: [dane] DANE-SRV, SNI functional equivalent and XMPP

Peter Saint-Andre - &yet <peter@andyet.net> Tue, 19 May 2015 14:49 UTC

Return-Path: <peter@andyet.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9EA31B2FD0 for <dane@ietfa.amsl.com>; Tue, 19 May 2015 07:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gxj-seTXr6u for <dane@ietfa.amsl.com>; Tue, 19 May 2015 07:49:39 -0700 (PDT)
Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com [209.85.220.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10C5E1B3035 for <dane@ietf.org>; Tue, 19 May 2015 07:46:14 -0700 (PDT)
Received: by pacwv17 with SMTP id wv17so27635099pac.2 for <dane@ietf.org>; Tue, 19 May 2015 07:46:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=zGJgFKmpgEUpxD68K4yT0LTaTN2l7MFhp22ihu13Tiw=; b=KhYTwJyLNQ+FX2rQ/uo5T2kmySEbdehEUbd36HWHkIRQVNV7u2Kyij8yqTQ5A2xrW9 75hfj2Q8FatZnzyBbqfrlZUOCnzzUN+oG/Ghnp20bUHVXwZ7FxpB7I/m1SqsXmDs9Km2 AaiZ1E3J3yLOLgSjX9ZRuJGdGNAJTjl4DCUa3dQEEkotRQvueCN5iO8zu7L0l193YUbK qcequ11SBIPbc8D37tMdwKWgWnnUBXW5PnkP5UfzH/YU7im8lPZsSLfd0caRmvMop3vr tNfal1fsnetGKECkXCRsw2w9Ygj9CVDovXXo1soGcGp4SCdP375zJVaaa2zqCKPjDKeo MAUg==
X-Gm-Message-State: ALoCoQmAZ6UrED0WiDm/S4JcikrpEvID2aw+u+5z+N1aUAu7TLWEnQcUEBsvRBtdt+Bf1uxgXL3s
X-Received: by 10.66.66.65 with SMTP id d1mr16463118pat.22.1432046773657; Tue, 19 May 2015 07:46:13 -0700 (PDT)
Received: from aither.local ([12.249.93.110]) by mx.google.com with ESMTPSA id ra3sm13329037pbb.23.2015.05.19.07.46.12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 May 2015 07:46:12 -0700 (PDT)
Message-ID: <555B4CB3.3020203@andyet.net>
Date: Tue, 19 May 2015 07:46:11 -0700
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Kim Alvefur <zash@zash.se>, dane@ietf.org
References: <5558C801.7030304@zash.se> <555A61CA.2020108@andyet.net> <555B224D.20709@zash.se>
In-Reply-To: <555B224D.20709@zash.se>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/v_K8W-b-GSlAEaxGb7DBjquYGhg>
Cc: georg@op-co.de
Subject: Re: [dane] DANE-SRV, SNI functional equivalent and XMPP
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 14:49:41 -0000

On 5/19/15 4:45 AM, Kim Alvefur wrote:
> On 2015-05-19 00:03, Peter Saint-Andre - &yet wrote:
>> On 5/17/15 9:55 AM, Kim Alvefur wrote:
>>> Hello list!
>>
>> Hi Zash!
>>
>>> Georg Lukas noted that section 4.1 says, in the context of XMPP, to use
>>> to='xmpp23.hosting.example.net' in the stream header, as that is the
>>> "functional equivalent" of SNI in XMPP.  However, that conflicts with
>>> the current semantics of 'to' being the service domain name to the
>>> server host name.  That will break many, if not all, deployed servers.
>>> The server should know what certificate to use for the indicated domain
>>> name.
>>>
>>> http://tools.ietf.org/html/draft-ietf-dane-srv-14#section-4.1
>>
>> Hmm.
>>
>> First, all draft-ietf-dane-srv says is that you don't need to use SNI in
>> XMPP because we already have a way for the TLS client to specify which
>> domain name it expects of the TLS server, i.e., the 'to' address of the
>> initial stream header.
>
> What I tried to say was that this sentence in the draft is confusing
> and/or wrong in the context of XMPP:
>
> SRV is secure: [...] The target server host name is the preferred name
> for TLS SNI or its equivalent.

Ah, I see.

I think this might be a more generic issue. For context from §4.1, 
here's the complete text:

    SRV is insecure:  The reference identifiers SHALL include the service
       domain and MUST NOT include the SRV target server host name (e.g.,
       include "im.example.com" but not "xmpp23.hosting.example.net").
       The service domain is the preferred name for TLS SNI or its
       equivalent.

    SRV is secure:  The reference identifiers SHALL include both the
       service domain and the SRV target server host name (e.g., include
       both "im.example.com" and "xmpp23.hosting.example.net").  The
       target server host name is the preferred name for TLS SNI or its
       equivalent.

I think we can all agree that when SRV is insecure, the client doesn't 
have a strong binding or "association" (using language from 
draft-ietf-xmpp-dna) of the service domain to the target server host 
name, so it needs to use the service domain as the reference identifier.

When SRV is secure, the client does have that kind of strong binding or 
association, so it is OK for the client to seek a match against both the 
target server host name and the service domain when checking the 
identifiers in the certificate.

Currently, this document states that when SRV is secure, it is preferred 
for the client to indicate to the server that its reference identifier 
is the target server host name. (We're assuming that the purpose of the 
SNI or equivalent is to indicate the client's preferred reference 
identifier.) If that's wrong for XMPP (and I'm not yet convinced that it 
is), is it potentially wrong for other application protocols, or even 
for all application protocols in general?

Given that the client can indicate only one reference identifier via SNI 
or equivalent, yet we're saying that the client actually has two 
reference identifiers in this case, I wonder whether the best general 
advice is for to *indicate* the service domain but *accept* both the 
service domain and the target server host name.

I'll check with my co-author on that to see what he thinks, but feedback 
from others on the list would be appreciated.

>> Second, draft-ietf-xmpp-dna is the document that specifies the behavior
>> of XMPP entities. So IMHO this is a topic for the XMPP WG list, not the
>> DANE WG list. I'll forward this message to that list and continue the
>> conversation there.
>
> Right, dane-srv doesn't have authority over XMPP specifics.
>
> Thanks :)

Sure, let's discuss those specifics (if any) on the XMPP WG list - but 
see above on whether this might be a generic issue.

Thanks for the feedback!

Peter

-- 
Peter Saint-Andre
https://andyet.com/

v2.23.0 | Report a Bug | By Email