Re: [certid] review of draft-saintandre-tls-server-id-check-09
Sean Turner <turners@ieca.com> Tue, 14 September 2010 16:13 UTC
Return-Path: <turners@ieca.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BECE3A6A76 for <ietf@core3.amsl.com>; Tue, 14 Sep 2010 09:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.289
X-Spam-Level:
X-Spam-Status: No, score=-102.289 tagged_above=-999 required=5 tests=[AWL=0.309, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BR4KE1aQxg2Z for <ietf@core3.amsl.com>; Tue, 14 Sep 2010 09:13:36 -0700 (PDT)
Received: from smtp113.biz.mail.mud.yahoo.com (smtp113.biz.mail.mud.yahoo.com [209.191.68.78]) by core3.amsl.com (Postfix) with SMTP id 648923A69DA for <ietf@ietf.org>; Tue, 14 Sep 2010 09:13:18 -0700 (PDT)
Received: (qmail 53679 invoked from network); 14 Sep 2010 16:07:04 -0000
Received: from thunderfish.local (turners@96.231.127.24 with plain) by smtp113.biz.mail.mud.yahoo.com with SMTP; 14 Sep 2010 09:07:04 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: 6YKkNfkVM1kyELf2yVmV7QSu9z17oIk.eGChTtd3smXW._g kPqmBGn9vb..UBU78Re.0rzK1GMKdblvGkiUvgSW9QG44r06U0uROUhT98Y5 qgHvKy3RLTDcM20MIG9u2jB9u2eiPslsOlJSxjx3LaALc2RTiAJFog5sF6XO kJ1A0GC.yqJT.AfExP0o9MPQBM_Drsyon5H5wlS.xsw9n84EgvsPJU7znYo0 UfQJbSFzsG4a6CLOCQY3spEl_J.iFn4J19CYq3Ix9e8x6HDOUUHMHi1qIGsW UUaG3PIFgcKAs8aqyAb7W1UlpVoYNq4.GUhCnqPpqHm.FD.BsESfXKPhQbiQ 1r3CZ04Qj
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4C8F9DA7.90701@ieca.com>
Date: Tue, 14 Sep 2010 12:07:03 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
Subject: Re: [certid] review of draft-saintandre-tls-server-id-check-09
References: <sdwrqpyo06.fsf@wjh.hardakers.net>
In-Reply-To: <sdwrqpyo06.fsf@wjh.hardakers.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org, tls@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2010 16:13:51 -0000
I'd offered to review this version during the TLS session at IETF 78, but I think I'm going to wait for the next version ;) spt Wes Hardaker wrote: > I've reviewed draft-saintandre-tls-server-id-check-09 and find it a good > document and support it's forward progress. I do have a few comments > though: > > (*): > Applies to many of the comments below: some parts of the document > read like a BCP in the way it tries to rationalize things. A number > of these text sections really don't help the document, though, as it > adds unneeded ambiguity. Examples of this are marked below with (*). > > Section 1.1: (*) > I don't think you should be spelling out the popularity of TLS vs > DTLS. While it may be true today, this is intended to be a proposed > standard and thus doesn't need to specify that one is potentially more > popular than the other. The document should be targeting the use of > both regardless of how well DTLS is used at the moment. Suggested: > > OLD: > When a client connects to an > application services using Transport Layer Security [TLS] (or, less > commonly, Datagram Transport Layer Security [DTLS]), it references > some conception of the server's identity while attempting to > establish a secure connection (e.g., "the web site at example.com"). > > New: > When a client connects to an > application services using Transport Layer Security [TLS] or > Datagram Transport Layer Security [DTLS], it references some > conception of the server's identity while attempting to establish a > secure connection (e.g., "the web site at example.com"). > > Section 1.1 and the appendices: > You could now, if you wanted, add SNMP over (D)TLS: RFC5953. If > you're going to copy into the appendix as well, the text to copy is > from the snmpTlstmAddrTable object in that document. > > Section 1.3.2: (*) > This section is full of text that is subjective and really isn't > needed in the first place. Nearly every paragraph contains text that > may be true today but might not be in the future or is subject to > interpretation. While I agree with most of the conclusions, I don't > think it's worth putting the text into the document; especially when > the text is simply defining what's out of scope. I don't think you > need to spend effort rationalizing what's out of scope. > > Suggestion: keep the bullets, ditch the paragraphs. > > Phrasing examples (IE, an incomplete list) that are questionable: > > "service operators have less experience with client certificates" > > "Most fundamentally, most users find DNS domain names much easier to > work with than IP addresses, which is why the domain name system was > designed in the first place. > > "Furthermore, application technologies have less experience with > IPsec than with TLS, thus making it more difficult to gather > feedback on proposed best practices." > > Section 1.4, "Target Domain" > It took me far too long into reading this document to remember what a > "target domain" really meant. IMHO, a better term that already > conveys the proper meaning to most readers would be a "derived > domain". Think about a global search and replace for target->derived? > > Section 3, bullet 5: > Unfortunately, this is the one rule I think will be > broken the most often. Fortunately, checking from the client side > says to ignore the CN-ID if it can match on other things as well. > Because of this, the only thing this particular rule hurts is the > software that isn't going to conform to this document because the code > is already too old. It's basically a "should upgrade" statement. I > think an extra sentence here might be helpful, though I don't have a > suggestion at the moment. > > Section 4.3, security note: > I actually think wording these things is tricky when the future is > unknown. I think it's generally safer to describe the only conditions > which are valid for checking a CN-ID instead of trying to list all the > "MUST NOT" cases, which is more likely to change with the addition of > future specs into the spec tree. I didn't have time to fully think > out replacement text, but I'd start it with "A client MUST only seek a > match for a reference identifier of a CN-ID if it is the only > available presented identifier." Or something like that. > > Section 5, Security Considerations: > The interesting thing about this specification is that we're leaving a > fairly broad range of potential "success" matches. Not only that, but > future specifications may lead to future reference identity matches > that previously didn't work. Fortunately, I can't come up with an > example that works all that well to describe it but somehow I'm left > feeling nervous that a server cert could have a clause the clients > don't understand currently but might later after a software upgrade > and an admin that expects a failure may suddenly see a success. You > can ignore this paragraph if you fail to grasp what I'm trying to say, > as I'm not at all stating it well. > > Section 5.1, Service Delegation: > You discuss interactive clients and how the the source domain name > MUST be provided by a human user. But the odd case that I couldn't > figure out what it mapped to was references from an original source. > EG, images or javascript elements in a web page aren't "provided by > the user", but a web-browser is certainly interactive. This sort of > "snow ball" domain list probably should be discussed at least in > brief. > > Section 5.1, Service Delegation: > I read the last paragraph (which is one sentence) multiple times and I > only barely feel that I understand what it's saying. I'd suggest > rewording it for clarity and splitting it into multiple sentences. > I'd offer suggestive text, but then I'd prove that I really didn't > understand it. > > General: > Some of the possible combinations and options that may exist could > really use an "examples" section or something that had example info > from a certificate combined with example list of expected reference > indenties. Though this would be nice, it's not at all critical. >
- review of draft-saintandre-tls-server-id-check-09 Wes Hardaker
- Re: [certid] review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] review of draft-saintandre-tls-serve… Sean Turner
- Re: review of draft-saintandre-tls-server-id-chec… Peter Saint-Andre
- Re: [certid] review of draft-saintandre-tls-serve… Martin Rex
- Re: [certid] review of draft-saintandre-tls-serve… Henry B. Hotz
- Re: [TLS] [certid] review of draft-saintandre-tls… Marsh Ray
- Re: [TLS] [certid] review of draft-saintandre-tls… Martin Rex
- Re: [certid] review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [TLS] [certid] review of draft-saintandre-tls… Peter Saint-Andre