Re: Review of draft-saintandre-tls-server-id-check

Martin Rex <mrex@sap.com> Thu, 09 September 2010 21:11 UTC

From: Martin Rex <mrex@sap.com>
Message-Id: <201009092110.o89LAZES029497@fs4113.wdf.sap.corp>
Subject: Re: Review of draft-saintandre-tls-server-id-check
To: shuque@isc.upenn.edu
Date: Thu, 09 Sep 2010 23:10:35 +0200
In-Reply-To: <20100908195349.GA4292@isc.upenn.edu> from "Shumon Huque" at Sep 8, 10 03:53:49 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Cc: bernard_aboba@hotmail.com, ietf@ietf.org
Precedence: list
Reply-To: mrex@sap.com

Shumon Huque wrote:
> 
> On Wed, Sep 08, 2010 at 08:44:56AM -0700, Bernard Aboba wrote:
> > 
> > If the "reference identifier" is  _Service.Name then the match is being done
> > on the *input* to the SRV lookup process, not the output, and prohibition on
> > DNS lookups would not apply (or even make any sense). 
> 
> Yes.
> 
> The output of the SRV record lookup contains a target hostname,
> not a service name, so it's not applicable to the SRVName name
> form. The target could be used in another name form (dNSName)
> as the reference identifier, but then the client needs to convince
> itself that the lookup was done securely (DNSSEC or some other
> means) otherwise there's a security problem.

I'm feeling very uneasy with the suggestion that a DNSSEC instead
of the DNS lookup might make it less of a security problem.

DNSSEC provides only data integrity protection and data origin
authentication of the records, and NOTHING beyond that.  In particular,
it does _NOT_ provide any trust in the conveyed information.

But in order to avoid the mentioned security problem, trust in the
transformation is an absolute prerequisite for the name transformation
in order to use the result in any kind of endpoint identity verification.

Although I personally think the trustworthiness of the rootCA certs
in web browsers is significantly overrated, there seems to be some
understanding out there that there is a huge difference between
cryptographic protection and trust, so there are browser vendors that
require CAs to apply a certain amount of scrutiny before issuing
certificates and subject themselves to an audit for a non-negligable
amount of cost before the browser vendors are going to include the
CAs self-signed rootCA cert as pre-trusted with their browser.

Are DNS domain admins going to be required to apply as much scrutiny
for each and every DNS record in their zone and have to succeed a
comparable audit of their DNS record maintenance procedures before
their parent domain will sign their zone signing keys?

DNS is an important an vital part of the internet, and it needs to
remain fast, efficient and free in order to remain useful.
Besides, even if DNSSEC signed records are being made available
in increasing numbers, that information is not visible to >90% of
the end users of the internet (like DSL subscribers) and is going to
remain invisible for most of them for many years to come.

-Martin

Review of draft-saintandre-tls-server-id-check Bernard Aboba
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check =JeffH
Re: Review of draft-saintandre-tls-server-id-check t.petch
RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
Re: [xmpp] Review of draft-saintandre-tls-server-… Bernard Aboba
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check t.petch
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Martin Rex
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check t.petch
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
Why require EKU for certid? Paul Hoffman
Re: Why require EKU for certid? Peter Saint-Andre
Re: [certid] Why require EKU for certid? Martin Rex
RE: [TLS] Why require EKU for certid? Jim Schaad
Re: [certid] Why require EKU for certid? Henry B. Hotz