IETF Logo Mail Archive

Re: Review of draft-saintandre-tls-server-id-check

Dave Cridland <dave@cridland.net> Mon, 13 September 2010 17:04 UTC

Return-Path: <dave@cridland.net>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7D3A3A69F7; Mon, 13 Sep 2010 10:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.466
X-Spam-Level:
X-Spam-Status: No, score=-2.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5PDCsCBuTyOs; Mon, 13 Sep 2010 10:04:51 -0700 (PDT)
Received: from peirce.dave.cridland.net (peirce.dave.cridland.net [217.155.137.61]) by core3.amsl.com (Postfix) with ESMTP id AC3BB3A69A7; Mon, 13 Sep 2010 10:04:49 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by peirce.dave.cridland.net (Postfix) with ESMTP id A990E11680C6; Mon, 13 Sep 2010 18:05:14 +0100 (BST)
X-Virus-Scanned: Debian amavisd-new at peirce.dave.cridland.net
Received: from peirce.dave.cridland.net ([127.0.0.1]) by localhost (peirce.dave.cridland.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5wddZcZww+X5; Mon, 13 Sep 2010 18:05:11 +0100 (BST)
Received: from puncture (unknown [217.155.137.60]) by peirce.dave.cridland.net (Postfix) with ESMTPA id 92BDC11680AA; Mon, 13 Sep 2010 18:05:11 +0100 (BST)
Subject: Re: Review of draft-saintandre-tls-server-id-check
References: <20100908195349.GA4292@isc.upenn.edu> <C8ADC7ED.EBA4%stefan@aaa-sec.com> <20100909182253.GB3460@isc.upenn.edu> <4C8E4C6B.3040803@stpeter.im> <20100913165259.GA9709@isc.upenn.edu>
In-Reply-To: <20100913165259.GA9709@isc.upenn.edu>
MIME-Version: 1.0
Message-Id: <8252.1284397511.595153@puncture>
Date: Mon, 13 Sep 2010 18:05:11 +0100
From: Dave Cridland <dave@cridland.net>
To: Shumon Huque <shuque@isc.upenn.edu>, Bernard Aboba <bernard_aboba@hotmail.com>, IETF cert-based identity <certid@ietf.org>, IETF-Discussion <ietf@ietf.org>, Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2010 17:04:52 -0000

On Mon Sep 13 17:52:59 2010, Shumon Huque wrote:
> Yes, but whether they are actually "current" best practices is
> debatable. I certainly would like them to become best practices.
> For example I don't believe any existing commercial CAs issue
> certificates with the SRVName or URI SAN name forms.
> 
> 
They do, I've seen sRVName SANs in some XMPP server certificates.


> > Do we have evidence that any existing
> > certification authorities issue certificates containing both an  
> SRVname
> > for the source domain (e.g., example.com) and dNSName for the  
> target
> > domain (e.g., apphosting.example.net)? Do we have evidence that  
> any
> > existing application clients perform such checks? If not, I would
> > consider such complications to be out of scope for this I-D.
> 
> I think the question is whether we have examples of applications
> that need to verify "combinations" of subjectaltname name forms in
> certificates. Stefan says there are, but so far no-one has offered
> up any public specifications of such apps. So, I think until we
> have them, I agree we can defer considerations of them to future
> documents.
> 
> I think it's reasonable for this draft to consider multiple identity
> types in certificates (eg. common name, dNSName, SRVName) with the
> current matching rules of ANY. This might be needed to gradually
> transition an app from validating a host specific identity to an
> application specific identity. The current draft allows this.
> 
> 
Isode M-Link will check xmppAddr and dNSName (and I'll add in sRVName  
soonish, and possibly URI). If no SANs of a supported type exist,  
then it will fall back to a CN match.

It will not check the dNSName against the result of a SRV DNS lookup,  
ever, nor will it check a dNSName if it has already found a matching  
xmppAddr (nor vice-versa). As such it's not checking combinations of  
SANs.

Looking at the draft, it seems to read that I should check dNSName  
first, and then, only if this matches, check xmppAddr or sRVName.  
This seems odd - sRVName and xmppAddr (and URI) all contain a  
superset of the data contained, so why look at dNSName if a more  
specific match exists?

Dave.
-- 
Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

v2.23.0 | Report a Bug | By Email