IETF Logo Mail Archive

Review of draft-saintandre-tls-server-id-check

Bernard Aboba <bernard_aboba@hotmail.com> Wed, 25 August 2010 00:38 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 298483A694E for <ietf@core3.amsl.com>; Tue, 24 Aug 2010 17:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.944
X-Spam-Level:
X-Spam-Status: No, score=-100.944 tagged_above=-999 required=5 tests=[AWL=0.165, BAYES_05=-1.11, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3dFBR7b8o7Z for <ietf@core3.amsl.com>; Tue, 24 Aug 2010 17:37:59 -0700 (PDT)
Received: from blu0-omc2-s23.blu0.hotmail.com (blu0-omc2-s23.blu0.hotmail.com [65.55.111.98]) by core3.amsl.com (Postfix) with ESMTP id BFEC43A688E for <ietf@ietf.org>; Tue, 24 Aug 2010 17:37:58 -0700 (PDT)
Received: from BLU137-W32 ([65.55.111.71]) by blu0-omc2-s23.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 24 Aug 2010 17:38:30 -0700
Message-ID: <BLU137-W32189ED2D1B0FDFCBF639F93840@phx.gbl>
Content-Type: multipart/alternative; boundary="_0216d8c1-1c66-43ca-9d9e-41d323f8c242_"
X-Originating-IP: [64.134.138.44]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: ietf@ietf.org, stefan@aaa-sec.com
Subject: Review of draft-saintandre-tls-server-id-check
Date: Tue, 24 Aug 2010 17:38:30 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 25 Aug 2010 00:38:30.0887 (UTC) FILETIME=[D7505F70:01CB43ED]
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2010 00:38:00 -0000

I reviewed draft-saintandre-tls-server-id-check. 

In a number of instances, this document is vague on the verification of an SRV-ID, and in one instance, it appears to contradict RFC 4985, even though it does not update that document. 

Section 2.1 states:

   o  An SRV-ID can be either direct (provided by a user) or more
      typically indirect (resolved by a client) and is restricted (can
      be used for only a single application).

This is consistent with RFC 4985 Section 2.1 which states:

   The SRVName, if present, MUST contain a service name and a domain
   name in the following form:

      _Service.Name

Yet, Section 5.1 states: 

When the connecting application is an interactive client, the source
   domain name and service type MUST be provided by a human user (e.g.
   when specifying the server portion of the user's account name on the
   server or when explicitly configuring the client to connect to a
   particular host or URI as in [SIP-LOC]) and MUST NOT be derived from
   the user inputs in an automated fashion (e.g., a host name or domain
   name discovered through DNS resolution of the source domain).  This
   rule is important because only a match between the user inputs (in
   the form of a reference identifier) and a presented identifier
   enables the client to be sure that the certificate can legitimately
   be used to secure the connection.

   However, an interactive client MAY provide a configuration setting
   that enables a human user to explicitly specify a particular host
   name or domain name (called a "target domain") to be checked for
   connection purposes.

[BA]  As I understand RFC 4985, the SRV-ID provided in the target certificate is to be
matched against components (service name and domain name) of the SRV RR obtained 
via lookup within the source domain. As a result, I don't believe that RFC 4985 is
consistent with this advice (e.g. the reference identifier is not matched against the
SRV-ID).

Section 4.1 is not as clear as it could be on this point, given that it talks about both
matching of the source domain and the target domain: 

   4.  When checking a reference identifier against a presented
       identifier, the client (a) MUST match the source domain (or, in
       some cases, target domain) of the identifiers and (b) MAY also
       match the service type of the identifiers.

      Implementation Note: Naturally, in addition to checking
      identifiers, a client might complete further checks to ensure that
      the server is authorized to provide the requested service.
      However, such checking is not a matter of verifying the
      application service identity presented in a certificate, and
      therefore methods for doing so (e.g., consulting local policy
      information) are out of scope for this document.

v2.23.0 | Report a Bug | By Email