Re: Review of draft-saintandre-tls-server-id-check
Stefan Santesson <stefan@aaa-sec.com> Wed, 08 September 2010 16:56 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F9A33A68AD for <ietf@core3.amsl.com>; Wed, 8 Sep 2010 09:56:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.573
X-Spam-Level:
X-Spam-Status: No, score=-102.573 tagged_above=-999 required=5 tests=[AWL=0.676, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzmup66yEQtE for <ietf@core3.amsl.com>; Wed, 8 Sep 2010 09:56:38 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.115]) by core3.amsl.com (Postfix) with ESMTP id 99F5D3A6807 for <ietf@ietf.org>; Wed, 8 Sep 2010 09:56:32 -0700 (PDT)
Received: from s128.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 0915A3AD192 for <ietf@ietf.org>; Wed, 8 Sep 2010 18:55:39 +0200 (CEST)
Received: (qmail 12448 invoked from network); 8 Sep 2010 13:40:13 -0000
Received: from unknown (HELO [192.168.1.8]) (stefan@fiddler.nu@[85.235.2.114]) (envelope-sender <stefan@aaa-sec.com>) by s128.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <bernard_aboba@hotmail.com>; 8 Sep 2010 13:40:13 -0000
User-Agent: Microsoft-Entourage/12.26.0.100708
Date: Wed, 08 Sep 2010 15:40:08 +0200
Subject: Re: Review of draft-saintandre-tls-server-id-check
From: Stefan Santesson <stefan@aaa-sec.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>, daedulus@btconnect.com, ietf@ietf.org, stpeter@stpeter.im
Message-ID: <C8AD5ED8.EB30%stefan@aaa-sec.com>
Thread-Topic: Review of draft-saintandre-tls-server-id-check
Thread-Index: ActPW1n0uedamFmw9UqcYKCtJQoOcw==
In-Reply-To: <BLU137-W154CAC092887C97B8F0B6493700@phx.gbl>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 16:56:39 -0000
Being the author of RFC 4985 I agree with most of you say here. Comments in line; On 10-09-06 8:48 PM, "Bernard Aboba" <bernard_aboba@hotmail.com> wrote: > That was in fact my original question. > > Section 5.1 states that the source domain and service type MUST be > provided by a human user, and can't be derived. Yet in an SRV or > DDDS lookup, it is not the source domain that is derived, it is the > target domain. Given that, it's not clear to me what types of DNS > resolutions are to be discouraged. > This puzzled me as well. The domain of interest is the domain where the requested service is located = target domain. > As noted elsewhere, RFC 4985 appears to require matching of the > source domain/service type to the SRV-ID in the certificate. It is not. RFC 4985 says the following in section 2: _Service.Name <snip> Name The DNS domain name of the domain where the specified service is located. > Such > a process would be consistent with a match between user inputs > (the source domain and service type) and the presented identifier > (the SRV-ID). > Since this is not the definition of SRVName, this type of matching does not apply. > >> Yet, Section 5.1 states: >> >> When the connecting application is an interactive client, the source >> domain name and service type MUST be provided by a human user (e.g. >> when specifying the server portion of the user's account name on the >> server or when explicitly configuring the client to connect to a >> particular host or URI as in [SIP-LOC]) and MUST NOT be derived from >> the user inputs in an automated fashion (e.g., a host name or domain >> name discovered through DNS resolution of the source domain). This >> rule is important because only a match between the user inputs (in >> the form of a reference identifier) and a presented identifier >> enables the client to be sure that the certificate can legitimately >> be used to secure the connection. >> >> However, an interactive client MAY provide a configuration setting >> that enables a human user to explicitly specify a particular host >> name or domain name (called a "target domain") to be checked for >> connection purposes. >> >> [TP] what I thought was about to be raised here was a contradiction that >> RFC4985 >> is all about information gotten from a DNS retrieval whereas the wording of >> s5.1 >> in this I-D >> >> "the source >> domain name and service type ... MUST NOT be derived from >> the user inputs in an automated fashion (e.g., ... discovered through DNS >> resolution ... " >> >> would appear to exclude DNS resolution. If DNS resolution is off limits, >> then >> RFC4985 would appear not to apply. >> RFC 4985 provides the client with a way to authenticate a host that it believes is authorized to provide a specific service in the target domain. It does not matter from where the client has obtained that authorization information or whether that information is trustworthy. A client may very well do an insecure DNS lookup to discover what host is providing the requested service. The client would then contact that host and obtained it's certificate. If the certificate is trusted and it's SRVName matches the information provided from the DNS server, then everything is fine. The client now has assurance from the CA that this host is in fact authorized to provide this service. /Stefan
- Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check =JeffH
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: [xmpp] Review of draft-saintandre-tls-server-… Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Martin Rex
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Why require EKU for certid? Paul Hoffman
- Re: Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Martin Rex
- RE: [TLS] Why require EKU for certid? Jim Schaad
- Re: [certid] Why require EKU for certid? Henry B. Hotz