Re: [certid] Review of draft-saintandre-tls-server-id-check
Stefan Santesson <stefan@aaa-sec.com> Thu, 09 September 2010 19:29 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABA083A677E for <ietf@core3.amsl.com>; Thu, 9 Sep 2010 12:29:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.519
X-Spam-Level:
X-Spam-Status: No, score=-102.519 tagged_above=-999 required=5 tests=[AWL=0.730, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWmQlozyZ2DS for <ietf@core3.amsl.com>; Thu, 9 Sep 2010 12:29:56 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.115]) by core3.amsl.com (Postfix) with ESMTP id 8280A3A688B for <ietf@ietf.org>; Thu, 9 Sep 2010 12:29:56 -0700 (PDT)
Received: from s24.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 0351838599D for <ietf@ietf.org>; Thu, 9 Sep 2010 21:30:03 +0200 (CEST)
Received: (qmail 58979 invoked from network); 9 Sep 2010 19:29:55 -0000
Received: from 213-64-142-247-no153.business.telia.com (HELO [192.168.1.5]) (stefan@fiddler.nu@[213.64.142.247]) (envelope-sender <stefan@aaa-sec.com>) by s24.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <shuque@isc.upenn.edu>; 9 Sep 2010 19:29:55 -0000
User-Agent: Microsoft-Entourage/12.26.0.100708
Date: Thu, 09 Sep 2010 21:29:53 +0200
Subject: Re: [certid] Review of draft-saintandre-tls-server-id-check
From: Stefan Santesson <stefan@aaa-sec.com>
To: Shumon Huque <shuque@isc.upenn.edu>
Message-ID: <C8AF0251.EC68%stefan@aaa-sec.com>
Thread-Topic: [certid] Review of draft-saintandre-tls-server-id-check
Thread-Index: ActQVWBnZiGXzzdlrkmGCvUA3UdZ8w==
In-Reply-To: <20100909181137.GA3460@isc.upenn.edu>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, IETF cert-based identity <certid@ietf.org>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2010 19:29:57 -0000
On the issue of checking multiple name forms. I would put it in another way. Web clients are typically only used to check the domain name and nothing else because it is the only thing they care about and know how to match. PKI enabled clients in general are used to check numerous of name forms and attributes in order to determine a match. When you add SRV-ID to the pool you change what is usual in the case of TLS. I think it is wrong to say as a general rule that a certificate successfully maps to the appropriate server if either the SRV-Name or the DNS Name matches. To me this is highly context dependent where different protocols and applications have different needs. If the only thing I need to know is that the server is authorized to deliver the requested service for the requested domain, then SRVName match only is OK. If you need to know that this host is the host it claims to be, then it's not. What needs to be checked is to me a typical case of local policy and one size does not fit all. /Stefan On 10-09-09 8:11 PM, "Shumon Huque" <shuque@isc.upenn.edu> wrote: > On Thu, Sep 09, 2010 at 12:59:29AM +0200, Stefan Santesson wrote: >> Peter, >> >> I don't see the problem with accepting a host names provided by DNS SRV >> record as the reference identity. >> >> Could you elaborate the threat? >> >> Example: >> >> I ask the DNS for the host providing smtp services for example.com >> I get back that the following hosts are available >> >> smtp1.example.com, and; >> smtp2.example.com >> >> I contact the first one using a TSL connection and receives a server >> certificate with the SRVName _smtp.example.com and the dNSName >> smtp1.example.com >> >> The certificate confirms that the host in fact is smtp1.example.com and that >> it is authorized to provide smtp services for the domain example.com. >> >> That is all you need. The host name from the DNS server was setting you on >> the track but is not considered trusted. What you trust is the names in the >> certificate. > > This is a more complicated example than the current draft > addresses. > > In your example, the client is verifying "a combination of > identifiers" (SRVName and dNSName) in the certificate. This > seems like a reasonable thing to do, but this is not what > most clients do today (I'd be happy to be corrected about > that). Typically, they consider a match successful once they've > found a single acceptable reference identifier. In that case, > you can't simply use a reference identifier that contains > a DNS mapped identifier unless you've obtained it an authenticated > (or statically configured) manner.
- Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check =JeffH
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: [xmpp] Review of draft-saintandre-tls-server-… Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Martin Rex
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Why require EKU for certid? Paul Hoffman
- Re: Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Martin Rex
- RE: [TLS] Why require EKU for certid? Jim Schaad
- Re: [certid] Why require EKU for certid? Henry B. Hotz