IETF Logo Mail Archive

Re: [certid] review of draft-saintandre-tls-server-id-check-09

Sean Turner <turners@ieca.com> Tue, 14 September 2010 16:13 UTC

Return-Path: <turners@ieca.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BECE3A6A76 for <ietf@core3.amsl.com>; Tue, 14 Sep 2010 09:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.289
X-Spam-Level:
X-Spam-Status: No, score=-102.289 tagged_above=-999 required=5 tests=[AWL=0.309, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BR4KE1aQxg2Z for <ietf@core3.amsl.com>; Tue, 14 Sep 2010 09:13:36 -0700 (PDT)
Received: from smtp113.biz.mail.mud.yahoo.com (smtp113.biz.mail.mud.yahoo.com [209.191.68.78]) by core3.amsl.com (Postfix) with SMTP id 648923A69DA for <ietf@ietf.org>; Tue, 14 Sep 2010 09:13:18 -0700 (PDT)
Received: (qmail 53679 invoked from network); 14 Sep 2010 16:07:04 -0000
Received: from thunderfish.local (turners@96.231.127.24 with plain) by smtp113.biz.mail.mud.yahoo.com with SMTP; 14 Sep 2010 09:07:04 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: 6YKkNfkVM1kyELf2yVmV7QSu9z17oIk.eGChTtd3smXW._g kPqmBGn9vb..UBU78Re.0rzK1GMKdblvGkiUvgSW9QG44r06U0uROUhT98Y5 qgHvKy3RLTDcM20MIG9u2jB9u2eiPslsOlJSxjx3LaALc2RTiAJFog5sF6XO kJ1A0GC.yqJT.AfExP0o9MPQBM_Drsyon5H5wlS.xsw9n84EgvsPJU7znYo0 UfQJbSFzsG4a6CLOCQY3spEl_J.iFn4J19CYq3Ix9e8x6HDOUUHMHi1qIGsW UUaG3PIFgcKAs8aqyAb7W1UlpVoYNq4.GUhCnqPpqHm.FD.BsESfXKPhQbiQ 1r3CZ04Qj
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4C8F9DA7.90701@ieca.com>
Date: Tue, 14 Sep 2010 12:07:03 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
Subject: Re: [certid] review of draft-saintandre-tls-server-id-check-09
References: <sdwrqpyo06.fsf@wjh.hardakers.net>
In-Reply-To: <sdwrqpyo06.fsf@wjh.hardakers.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: certid@ietf.org, tls@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2010 16:13:51 -0000

I'd offered to review this version during the TLS session at IETF 78, 
but I think I'm going to wait for the next version ;)

spt

Wes Hardaker wrote:
> I've reviewed draft-saintandre-tls-server-id-check-09 and find it a good
> document and support it's forward progress.  I do have a few comments
> though:
> 
> (*):
>   Applies to many of the comments below: some parts of the document
>   read like a BCP in the way it tries to rationalize things.  A number
>   of these text sections really don't help the document, though, as it
>   adds unneeded ambiguity.  Examples of this are marked below with (*).
> 
> Section 1.1: (*)
>   I don't think you should be spelling out the popularity of TLS vs
>   DTLS.  While it may be true today, this is intended to be a proposed
>   standard and thus doesn't need to specify that one is potentially more
>   popular than the other.  The document should be targeting the use of
>   both regardless of how well DTLS is used at the moment.  Suggested:
> 
>   OLD:
>                                   When a client connects to an
>     application services using Transport Layer Security [TLS] (or, less
>     commonly, Datagram Transport Layer Security [DTLS]), it references
>     some conception of the server's identity while attempting to
>     establish a secure connection (e.g., "the web site at example.com").
> 
>   New:
>                                   When a client connects to an
>     application services using Transport Layer Security [TLS] or
>     Datagram Transport Layer Security [DTLS], it references some
>     conception of the server's identity while attempting to establish a
>     secure connection (e.g., "the web site at example.com").
> 
> Section 1.1 and the appendices:
>   You could now, if you wanted, add SNMP over (D)TLS: RFC5953.  If
>   you're going to copy into the appendix as well, the text to copy is
>   from the snmpTlstmAddrTable object in that document.
> 
> Section 1.3.2: (*)
>   This section is full of text that is subjective and really isn't
>   needed in the first place.  Nearly every paragraph contains text that
>   may be true today but might not be in the future or is subject to
>   interpretation.  While I agree with most of the conclusions, I don't
>   think it's worth putting the text into the document; especially when
>   the text is simply defining what's out of scope.  I don't think you
>   need to spend effort rationalizing what's out of scope.
> 
>   Suggestion: keep the bullets, ditch the paragraphs.
> 
>   Phrasing examples (IE, an incomplete list) that are questionable:
> 
>     "service operators have less experience with client certificates"
> 
>     "Most fundamentally, most users find DNS domain names much easier to
>     work with than IP addresses, which is why the domain name system was
>     designed in the first place.
> 
>     "Furthermore, application technologies have less experience with
>     IPsec than with TLS, thus making it more difficult to gather
>     feedback on proposed best practices."
> 
> Section 1.4, "Target Domain"
>   It took me far too long into reading this document to remember what a
>   "target domain" really meant.  IMHO, a better term that already
>   conveys the proper meaning to most readers would be a "derived
>   domain".  Think about a global search and replace for target->derived?
> 
> Section 3, bullet 5:
>   Unfortunately, this is the one rule I think will be
>   broken the most often.  Fortunately, checking from the client side
>   says to ignore the CN-ID if it can match on other things as well.
>   Because of this, the only thing this particular rule hurts is the
>   software that isn't going to conform to this document because the code
>   is already too old.  It's basically a "should upgrade" statement.  I
>   think an extra sentence here might be helpful, though I don't have a
>   suggestion at the moment.
> 
> Section 4.3, security note:
>   I actually think wording these things is tricky when the future is
>   unknown.  I think it's generally safer to describe the only conditions
>   which are valid for checking a CN-ID instead of trying to list all the
>   "MUST NOT" cases, which is more likely to change with the addition of
>   future specs into the spec tree.  I didn't have time to fully think
>   out replacement text, but I'd start it with "A client MUST only seek a
>   match for a reference identifier of a CN-ID if it is the only
>   available presented identifier."  Or something like that.
> 
> Section 5, Security Considerations:
>   The interesting thing about this specification is that we're leaving a
>   fairly broad range of potential "success" matches.  Not only that, but
>   future specifications may lead to future reference identity matches
>   that previously didn't work.  Fortunately, I can't come up with an
>   example that works all that well to describe it but somehow I'm left
>   feeling nervous that a server cert could have a clause the clients
>   don't understand currently but might later after a software upgrade
>   and an admin that expects a failure may suddenly see a success.  You
>   can ignore this paragraph if you fail to grasp what I'm trying to say,
>   as I'm not at all stating it well.
> 
> Section 5.1, Service Delegation:
>   You discuss interactive clients and how the the source domain name
>   MUST be provided by a human user.  But the odd case that I couldn't
>   figure out what it mapped to was references from an original source.
>   EG, images or javascript elements in a web page aren't "provided by
>   the user", but a web-browser is certainly interactive.  This sort of
>   "snow ball" domain list probably should be discussed at least in
>   brief.
> 
> Section 5.1, Service Delegation:
>   I read the last paragraph (which is one sentence) multiple times and I
>   only barely feel that I understand what it's saying.  I'd suggest
>   rewording it for clarity and splitting it into multiple sentences.
>   I'd offer suggestive text, but then I'd prove that I really didn't
>   understand it.
> 
> General:
>   Some of the possible combinations and options that may exist could
>   really use an "examples" section or something that had example info
>   from a certificate combined with example list of expected reference
>   indenties.  Though this would be nice, it's not at all critical.
>

v2.23.0 | Report a Bug | By Email