Re: Review of draft-saintandre-tls-server-id-check
"t.petch" <daedulus@btconnect.com> Wed, 08 September 2010 09:12 UTC
Return-Path: <daedulus@btconnect.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7236D3A67EB for <ietf@core3.amsl.com>; Wed, 8 Sep 2010 02:12:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.592
X-Spam-Level:
X-Spam-Status: No, score=-1.592 tagged_above=-999 required=5 tests=[AWL=1.007, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6kbtQ3Jdi22 for <ietf@core3.amsl.com>; Wed, 8 Sep 2010 02:12:30 -0700 (PDT)
Received: from c2beaomr02.btconnect.com (c2beaomr02.btconnect.com [213.123.26.180]) by core3.amsl.com (Postfix) with ESMTP id D54CC3A67F7 for <ietf@ietf.org>; Wed, 8 Sep 2010 02:12:29 -0700 (PDT)
Received: from pc6 (host81-153-11-67.range81-153.btcentralplus.com [81.153.11.67]) by c2beaomr02.btconnect.com with SMTP id ECW39257; Wed, 8 Sep 2010 10:12:54 +0100 (BST)
X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=0001.0A0B0301.4C875396.0278, actions=tag
Message-ID: <00b701cb4f2d$a1c29e40$4001a8c0@gateway.2wire.net>
From: "t.petch" <daedulus@btconnect.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>, ietf@ietf.org, stpeter@stpeter.im
References: <BLU137-W32189ED2D1B0FDFCBF639F93840@phx.gbl>, <00c301cb4dcc$f7be44a0$4001a8c0@gateway.2wire.net> <BLU137-W154CAC092887C97B8F0B6493700@phx.gbl>
Subject: Re: Review of draft-saintandre-tls-server-id-check
Date: Wed, 08 Sep 2010 10:09:16 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
x-mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Junkmail-Status: score=10/50, host=c2beaomr02.btconnect.com
X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A0B0206.4C875397.0230, ss=1, fgs=0, ip=0.0.0.0, so=2009-07-20 21:54:04, dmn=5.7.1/2009-08-27, mode=single engine
X-Junkmail-IWF: false
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 09:12:31 -0000
[TP]inline ----- Original Message ----- From: "Bernard Aboba" <bernard_aboba@hotmail.com> To: <daedulus@btconnect.com>; <ietf@ietf.org>; <stpeter@stpeter.im> Sent: Monday, September 06, 2010 8:48 PM That was in fact my original question. Section 5.1 states that the source domain and service type MUST be provided by a human user, and can't be derived. Yet in an SRV or DDDS lookup, it is not the source domain that is derived, it is the target domain. Given that, it's not clear to me what types of DNS resolutions are to be discouraged. [TP] Right, I see what you mean. The DNS resolution I had in mind, if it is a resolution, is that while the interactive user had specified a DNS name and that name had been fed into a DNS Query, then the SRV record had been returned as an Additional RR, not as an Answer, and that the Name from this Additional RR was now being used as the source domain for the purposes of this I-D. Which section 5.1 might be trying to preclude. Tom Petch ============================================ As noted elsewhere, RFC 4985 appears to require matching of the source domain/service type to the SRV-ID in the certificate. Such a process would be consistent with a match between user inputs (the source domain and service type) and the presented identifier (the SRV-ID). > Yet, Section 5.1 states: > > When the connecting application is an interactive client, the source > domain name and service type MUST be provided by a human user (e.g. > when specifying the server portion of the user's account name on the > server or when explicitly configuring the client to connect to a > particular host or URI as in [SIP-LOC]) and MUST NOT be derived from > the user inputs in an automated fashion (e.g., a host name or domain > name discovered through DNS resolution of the source domain). This > rule is important because only a match between the user inputs (in > the form of a reference identifier) and a presented identifier > enables the client to be sure that the certificate can legitimately > be used to secure the connection. > > However, an interactive client MAY provide a configuration setting > that enables a human user to explicitly specify a particular host > name or domain name (called a "target domain") to be checked for > connection purposes. > > [TP] what I thought was about to be raised here was a contradiction that RFC4985 > is all about information gotten from a DNS retrieval whereas the wording of s5.1 > in this I-D > > "the source > domain name and service type ... MUST NOT be derived from > the user inputs in an automated fashion (e.g., ... discovered through DNS > resolution ... " > > would appear to exclude DNS resolution. If DNS resolution is off limits, then > RFC4985 would appear not to apply. > > Does s5.1 of the I-D mean what it appears to say? > > Tom Petch
- Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check =JeffH
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: [xmpp] Review of draft-saintandre-tls-server-… Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Martin Rex
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Why require EKU for certid? Paul Hoffman
- Re: Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Martin Rex
- RE: [TLS] Why require EKU for certid? Jim Schaad
- Re: [certid] Why require EKU for certid? Henry B. Hotz