Re: [dispatch] draft-johansson-dispatch-dane-sip-01 - certificate validation
"Olle E. Johansson" <oej@edvina.net> Sun, 26 January 2014 12:50 UTC
Return-Path: <oej@edvina.net>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FFF41A013B for <dispatch@ietfa.amsl.com>; Sun, 26 Jan 2014 04:50:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqDXYQA_kJLW for <dispatch@ietfa.amsl.com>; Sun, 26 Jan 2014 04:50:51 -0800 (PST)
Received: from smtp7.webway.se (smtp7.webway.se [IPv6:2a02:920:212e::205]) by ietfa.amsl.com (Postfix) with ESMTP id 5AE1C1A0136 for <dispatch@ietf.org>; Sun, 26 Jan 2014 04:50:50 -0800 (PST)
Received: from [192.168.40.13] (h87-96-134-129.dynamic.se.alltele.net [87.96.134.129]) by smtp7.webway.se (Postfix) with ESMTPA id AD1E593C2A1; Sun, 26 Jan 2014 12:50:47 +0000 (UTC)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <CAPms+wQT5U_DdHGxc=C8oaBNfJkk-KfOHZ78=gRWirdpDRfyFA@mail.gmail.com>
Date: Sun, 26 Jan 2014 13:50:46 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <E504237F-78AF-4051-B111-3B5F4D93AD36@edvina.net>
References: <CAPms+wQC2KB4ymHxQfuf8HS9nsDPh33fAOA9BPHCT0qfxV7OhA@mail.gmail.com> <03326AC3-4A56-49C6-B68F-3A3F137A78B8@edvina.net> <CAPms+wQT5U_DdHGxc=C8oaBNfJkk-KfOHZ78=gRWirdpDRfyFA@mail.gmail.com>
To: Michael Procter <michael@voip.co.uk>
X-Mailer: Apple Mail (2.1827)
Cc: IETF Dispatch <dispatch@ietf.org>
Subject: Re: [dispatch] draft-johansson-dispatch-dane-sip-01 - certificate validation
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2014 12:50:53 -0000
On 26 Jan 2014, at 13:34, Michael Procter <michael@voip.co.uk> wrote: > Rather than saying in section 8 that clients validate the certificate > "using RFC 5922 rules", it might be clearer to explicitly call out > which part of the RFC should be used. Maybe something like: > > The client MUST > determine the SIP domain identities in the server certificate using > the procedure in Section 7.1 of RFC 5922. > > o If there were no identities found in the server certificate, the > server is not authenticated. > > o If the domain extracted from the AUS matches any SIP domain > identity obtained from the certificate when compared as described > in Section 7.2 of RFC 5922, the server is authenticated for the domain. > > (Text borrowed from RFC 5922 section 7.3 with light edits) > > But that doesn't seem to agree with this statement: > > On 26 January 2014 07:53, Olle E. Johansson <oej@edvina.net> wrote: >> A client >> compliant with this specification will look for the host name (SRV host) >> in the CN and a client following the SIP domain cert RFC will ignore >> the CN and only look into the SAN fields > > RFC 5922 doesn't let you do that. Section 7.1 bullet 2 states that > you may only examine the CN if there are no subjectAltNames present > (not just no matching subjectAltNames). It also only permits you to > use a DNS name when there are no SIP URIs listed. Right. My example was a way to produce one certificate for both. I wanted to totally ignore the SANs in SIPDANE. A certificate with ONLY one CN and NO SANs will collide as you say. That needs to be mentioned. In that case SNI may help (if we come up with a draft for SIP and SNI). > > You might be better off not using any of the RFC 5922 rules at all! > Removing the RFC5922 references from the first paragraph of section 8 > makes it look like: > > When using DANE-based validation the client validates the SRV > hostname with the certificate. A DANE-capable > SIP implementation looks for the SRV hostname in the list of > SubjAltName DNSName extension fields. Only if there are no > SubjAltName extension fields may the client look in the CN of the > X.509 certificate. This re-adds SANs that I wanted to remove ;-) > > That approach (not mentioning RFC 5922) seems to make sense and still > defends against the attack outlined in draft-ietf-dane-srv-03 section > 10.3. I will check that part again and possibly come back with more questions. And remove some references to 5922 to avoid confusion. There was questions earlier about backwards compatibility and that may be moved into a separate section. Thanks again, /O > > Best regards, > > Michael
- [dispatch] draft-johansson-dispatch-dane-sip-01 -… Michael Procter
- Re: [dispatch] draft-johansson-dispatch-dane-sip-… Olle E. Johansson
- Re: [dispatch] draft-johansson-dispatch-dane-sip-… Michael Procter
- Re: [dispatch] draft-johansson-dispatch-dane-sip-… Olle E. Johansson