Re: [Dots] Alexey Melnikov's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

"Alexey Melnikov" <aamelnikov@fastmail.fm> Thu, 02 May 2019 12:56 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40AF61200E6; Thu, 2 May 2019 05:56:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=V1ZdsjFx; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ej53lm22
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P0eUSrHflLWM; Thu, 2 May 2019 05:56:14 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC44012002F; Thu, 2 May 2019 05:56:14 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id EB454244EC; Thu, 2 May 2019 08:56:13 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute7.internal (MEProxy); Thu, 02 May 2019 08:56:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm3; bh=t5pTuTXtpRD1/XmAdrVGxksrk1Q4wWc cJC5CoDi9xtI=; b=V1ZdsjFxu7eHMAUOTZDBSZbOBaeu1D5AwySl5DJ47l6rH9q Fv3YWGesrMYDiQV0I+ZOZFBO0P5Z2nwKJK2ZGoZIXw/KYcQ6snzXJwe7/aFEbi6A +yT5v7Idbv5urTC9WL6RQ2Jcr+bzPLfuJSI2dXfFMISqPrk/CsXTDktpso/bnNdL jK7hkQoWh7UjrIvcMO/mguvKgr8ongatU18QPFRjrC6ys13OcFJ9N2xvBB6zU8iU dgNbvwsnjjIknoXr15mqj3DQJDjGn8e6/MtjpGB1HqoG0KI9YOPq0mcBko6O1d4j PHnw483ZY5pj5Fo4fnDfytyg9a1SRENJVqw1gzw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=t5pTuT XtpRD1/XmAdrVGxksrk1Q4wWccJC5CoDi9xtI=; b=ej53lm22E1doXbDJJq90bJ oWQZwuBsVFFoK6PG8wsvgdYMQOo0HnbAPpiqh0NvrAqg0NW1LcyqLjT1LNMLz8sg JU7wW7O6sN3wySgmW5YtjMO2UsvSL3h1jFmTRalrQYrdqTtpEuVEKQNhAk0ZZ7Ai IA2mH6X5RE+Vpk2b9YP9McWi1LmtQ3BrBFmb22s4VptIJFFdVKHS/QQdtsz4T3Fr RCdIuEFM4X7hgrxyy05gkAno1lMKKAHMdGZUyRY9iGQypSDw3XuUH9TVafw/gI6T G/I2n+FF7KGF0Xm6m5WE/KKx2p8yk7mQgpWKl0148xxJOFSWuKE1KwYmO1FnLsAA ==
X-ME-Sender: <xms:7ejKXNda8hF0zzjwWV7GnhqfjqveT9C1dApQqDnvzKuvb9cDUv4S9w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrieelgdeitdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderreejnecuhfhrohhmpedftehlvgig vgihucfovghlnhhikhhovhdfuceorggrmhgvlhhnihhkohhvsehfrghsthhmrghilhdrfh hmqeenucfrrghrrghmpehmrghilhhfrhhomheprggrmhgvlhhnihhkohhvsehfrghsthhm rghilhdrfhhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:7ejKXDcifwDSMZwSzuL9euv16gDcCHdT7Gv7i-lX9_vRt-n3lnswPQ> <xmx:7ejKXMZLcKneScg3yZMco9ljCE44BW-5Hod5zJPveuvSlWsnBHrQxw> <xmx:7ejKXIpDxhK4Sb-ed2dd9NkBb_o5rDLLBRlgkv0QCaUwNPQKiJaTSQ> <xmx:7ejKXOEZUKwCpb73XRa5SUwCAASL8LLW3nPlkMrVOTmryNorjg4bLg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 4B1D3D4931; Thu, 2 May 2019 08:56:13 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-449-gfb3fc5a-fmstable-20190430v1
Mime-Version: 1.0
Message-Id: <e289a531-d959-4e33-bac3-9c45f03bf75f@www.fastmail.com>
In-Reply-To: <BYAPR16MB2790D805F0057AF598F2C0E6EA340@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <155672115649.991.301467308616633255.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA68A2C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790D805F0057AF598F2C0E6EA340@BYAPR16MB2790.namprd16.prod.outlook.com>
Date: Thu, 02 May 2019 08:55:49 -0400
From: "Alexey Melnikov" <aamelnikov@fastmail.fm>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "The IESG" <iesg@ietf.org>
Cc: "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, Xialiang <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Io6NbfrlxIUbDM0jRJbFT7MJ4pg>
Subject: Re: [Dots] =?utf-8?q?Alexey_Melnikov=27s_Discuss_on_draft-ietf-dots-?= =?utf-8?q?signal-channel-31=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 12:56:17 -0000

Hi,

On Thu, May 2, 2019, at 1:47 PM, Konda, Tirumaleswar Reddy wrote:

> > > 7) In 7.1:
> > >
> > >    When a DOTS client is configured with a domain name of the DOTS
> > >    server, and connects to its configured DOTS server, the server may
> > >    present it with a PKIX certificate.  In order to ensure proper
> > >    authentication, a DOTS client MUST verify the entire certification
> > >    path per [RFC5280].  The DOTS client additionally uses [RFC6125]
> > >    validation techniques to compare the domain name with the certificate
> > >    provided.
> > >
> > > I am glad that you are referencing RFC 6125 here, but the description is not
> > > complete. Do you allow for wildcards in certificate subjectAltNames? Do you
> > > support CN-ID, DNS-ID, SRV-ID, URI-ID? I think you only want to support 
> > > DNS-ID
> > > and possibly SRV-ID and CN-ID. This needs to be explicitly stated in the
> > > document.
> > >
> > 
> > [Med] Fair enough. Will consider updating the text.
> 
> We will add the following text to address the above comment:
> 
>       Certification authorities that issue DOTS server certificates
>       SHOULD support the DNS-ID and SRV-ID identifier types. 
>       DOTS server SHOULD prefer the use of DNS-ID  and SRV-ID 
>       over CN-ID identifier types in certificate requests 
>       (as described in Section 2.3 from [RFC6125]) and the
>       wildcard character '*' SHOULD NOT be included in the presented
>       identifier.

This still doesn't say whether URI-ID is allowed. May I suggest that you add the following sentence at the beginning of this paragraph:

       DOTS protocol doesn't use URI-IDs for server identity verification.

Also, I would like to understand how SRV-IDs are to be used by DOTS. The document doesn't register any new service name for DOTS protcol, so it is not clear how SRV-IDs can be used.

Thank you,
Alexey