IETF Logo Mail Archive

Re: [certid] Review of draft-saintandre-tls-server-id-check

Shumon Huque <shuque@isc.upenn.edu> Thu, 09 September 2010 20:08 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24BC33A6873; Thu, 9 Sep 2010 13:08:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.689
X-Spam-Level:
X-Spam-Status: No, score=-3.689 tagged_above=-999 required=5 tests=[AWL=-1.090, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTYe+v35mxNK; Thu, 9 Sep 2010 13:08:06 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 376D63A686B; Thu, 9 Sep 2010 13:08:06 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 3124B26D7; Thu, 9 Sep 2010 16:08:33 -0400 (EDT)
Date: Thu, 09 Sep 2010 16:08:33 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Stefan Santesson <stefan@aaa-sec.com>
Subject: Re: [certid] Review of draft-saintandre-tls-server-id-check
Message-ID: <20100909200833.GA6057@isc.upenn.edu>
References: <20100909181137.GA3460@isc.upenn.edu> <C8AF0251.EC68%stefan@aaa-sec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <C8AF0251.EC68%stefan@aaa-sec.com>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, IETF cert-based identity <certid@ietf.org>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2010 20:08:07 -0000

On Thu, Sep 09, 2010 at 09:29:53PM +0200, Stefan Santesson wrote:
> On the issue of checking multiple name forms.
> 
> I would put it in another way. Web clients are typically only used to check
> the domain name and nothing else because it is the only thing they care
> about and know how to match.

Not just Web, but likely the various other applications listed 
in the appendix of draft-saintandre-tls-server-id-check also
(IMAP, POP3, LDAP, ..)

> PKI enabled clients in general are used to check numerous of name forms and
> attributes in order to determine a match.

Can you give us some examples of such applications, and where 
their subject identity matching rules are specified? Appendix
A ("Prior Art") probably should consider them.

> I think it is wrong to say as a general rule that a certificate successfully
> maps to the appropriate server if either the SRV-Name or the DNS Name
> matches. To me this is highly context dependent where different protocols
> and applications have different needs.

Yeah, I think I agree with that. Ultimately the application protocol
should decide what its (potentially arbitrarily complex) identity
matching rules should be. This is why I'm suspicious that the current
draft can successfully achieve it's supposed goal of defining some
general purpose rules or best practices.

One of the ideas was that application protocol designers often
don't want to be concerned with the complex details of certificate
matching and verification rules and would like to refer to some 
standard document that does.

> If the only thing I need to know is that the server is authorized to deliver
> the requested service for the requested domain, then SRVName match only is
> OK. If you need to know that this host is the host it claims to be, then
> it's not.
> 
> What needs to be checked is to me a typical case of local policy and one
> size does not fit all.
> 
> /Stefan
> 

-- 
Shumon Huque
University of Pennsylvania.

v2.29.0 | Report a Bug | By Email | System Status