Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

Peter Saint-Andre <stpeter@stpeter.im> Thu, 19 January 2012 19:34 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40A6021F86A9; Thu, 19 Jan 2012 11:34:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.657
X-Spam-Level:
X-Spam-Status: No, score=-102.657 tagged_above=-999 required=5 tests=[AWL=-0.058, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SadkHyR+1NY3; Thu, 19 Jan 2012 11:34:40 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 47E1521F860D; Thu, 19 Jan 2012 11:34:38 -0800 (PST)
Received: from dhcp-64-101-72-124.cisco.com (unknown [64.101.72.124]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 8BF6B40058; Thu, 19 Jan 2012 12:44:03 -0700 (MST)
Message-ID: <4F18704B.4010309@stpeter.im>
Date: Thu, 19 Jan 2012 12:34:35 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>
References: <4F11E975.9070307@isode.com> <10722E0B-059E-4800-84C0-B330F397B63A@tik.ee.ethz.ch> <4F16D95A.3000006@isode.com> <89E47BB4-C228-4700-94C4-3F4ED03F99A2@tik.ee.ethz.ch> <4F1704DE.1090208@isode.com> <4F170904.2000603@isode.com> <60243B0C-A3FF-4B51-AFF8-27C34158E02E@tik.ee.ethz.ch> <4F185391.9050005@isode.com>
In-Reply-To: <4F185391.9050005@isode.com>
X-Enigmail-Version: 1.3.4
OpenPGP: url=https://stpeter.im/stpeter.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: gen-art@ietf.org, Kathleen Moriarty <kathleen.moriarty@emc.com>, The IESG <iesg@ietf.org>, Brian Trammell <trammell@tik.ee.ethz.ch>
Subject: Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2012 19:34:41 -0000

On 1/19/12 10:32 AM, Alexey Melnikov wrote:
> Hi Brian,
> 
> On 19/01/2012 09:48, Brian Trammell wrote:
>> On Jan 18, 2012, at 7:01 PM, Alexey Melnikov wrote:
>>> On 18/01/2012 17:43, Alexey Melnikov wrote:
>>>> Hi Brian,
>>>>
>>>> On 18/01/2012 16:16, Brian Trammell wrote:
>>>>> On Jan 18, 2012, at 3:38 PM, Alexey Melnikov wrote:
>>>>>
>>>>> Actually, since the binding between RID and a PKI is better defined
>>>>> in rfc6045-bis, 6046-bis now refers to it, as follows:
>>>>>
>>>>>     Each RID system SHOULD authenticate its peers via a PKI as
>>>>> detailed
>>>>>     in Section 9.3 of [I-D.ietf-mile-rfc6045-bis].
>>>>>
>>>>> Would this address the concern?
>>>> Let me check.
>>> So the text in rfc6045bis seems to suggest that all server
>>> certificates will be verified based on some prior arrangement. Is my
>>> understanding correct?
>> Yes; in essence, a RID consortium is "closed".
> I think that this approach is unwise, because this wouldn't scale. But
> if nobody else see a problem with this, I will let it go.

I have a problem with it.

Version -05 said:

   Each RID consortium SHOULD use a trusted public key infrastructure
   (PKI) to manage identities for RID systems participating in TLS
   connections.  At minimum, each RID system MUST trust a set of X.509
   Issuer identities ("Certificate Authorities") [RFC5280] to directly
   authenticate RID system peers with which it is willing to exchange
   information, and/or a specific white list of X.509 Subject identities
   of RID system peers.

   RID systems MUST provide for the verification of the identity of a
   RID system peer presenting a valid and trusted certificate, by
   verifying the fully-qualified domain name and service name from the
   DNS SRV record, if available, against that stored in the certificate,
   as in Section 6 of [RFC6125].

In version -06, that was replaced with:

   Each RID system SHOULD authenticate its peers via a PKI as detailed
   in Section 9.3 of [I-D.ietf-mile-rfc6045-bis].

As far as I can see, a RID system is not the same as a RID consortium.
Even if every RID system is a member of such a consortium, it seems like
a bad idea to leave the authentication rules up to the consortium,
without providing any sort of guidance. Version -05 at least pointed to
RFC 6125. Since 6046bis is the HTTPS/TLS binding only, it might be more
appropriate to point to RFC 2818 here instead of RFC 6125, but I think
we need to say *something* about how authentication works (matching of
endpoint identities and such) instead of hoping that consortia get the
security right.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/