IETF Logo Mail Archive

Re: Review of draft-saintandre-tls-server-id-check

Stefan Santesson <stefan@aaa-sec.com> Wed, 08 September 2010 23:00 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37F6E3A6993 for <ietf@core3.amsl.com>; Wed, 8 Sep 2010 16:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.424
X-Spam-Level:
X-Spam-Status: No, score=-102.424 tagged_above=-999 required=5 tests=[AWL=0.825, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7vH3Kp2ySfdJ for <ietf@core3.amsl.com>; Wed, 8 Sep 2010 16:00:19 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.115]) by core3.amsl.com (Postfix) with ESMTP id 370153A6980 for <ietf@ietf.org>; Wed, 8 Sep 2010 16:00:19 -0700 (PDT)
Received: from s42.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id D7F4F3BB5CD for <ietf@ietf.org>; Thu, 9 Sep 2010 00:59:40 +0200 (CEST)
Received: (qmail 69327 invoked from network); 8 Sep 2010 22:59:43 -0000
Received: from 213-64-142-247-no153.business.telia.com (HELO [192.168.1.5]) (stefan@fiddler.nu@[213.64.142.247]) (envelope-sender <stefan@aaa-sec.com>) by s42.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <stpeter@stpeter.im>; 8 Sep 2010 22:59:43 -0000
User-Agent: Microsoft-Entourage/12.26.0.100708
Date: Thu, 09 Sep 2010 00:59:29 +0200
Subject: Re: Review of draft-saintandre-tls-server-id-check
From: Stefan Santesson <stefan@aaa-sec.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Message-ID: <C8ADE1F1.EBB9%stefan@aaa-sec.com>
Thread-Topic: Review of draft-saintandre-tls-server-id-check
Thread-Index: ActPqX3eKc3SIeJbTE+KOpnRzFkIvA==
In-Reply-To: <4C8807AC.9020808@stpeter.im>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, IETF cert-based identity <certid@ietf.org>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 23:00:21 -0000

Peter,

I don't see the problem with accepting a host names provided by DNS SRV
record as the reference identity.

Could you elaborate the threat?

Example:

I ask the DNS for the host providing smtp services for example.com
I get back that the following hosts are available

smtp1.example.com, and;
smtp2.example.com

I contact the first one using a TSL connection and receives a server
certificate with the SRVName _smtp.example.com and the dNSName
smtp1.example.com

The certificate confirms that the host in fact is smtp1.example.com and that
it is authorized to provide smtp services for the domain example.com.

That is all you need. The host name from the DNS server was setting you on
the track but is not considered trusted. What you trust is the names in the
certificate.



As to IdP services. This type of redirect is extremely common and widely
deployed in SAML. 

Example: The client connects to a service by choice. That service is
retrieving the metadata for the identity federation from a central database.
Among other things this metadata contains URLs to all approved Identity
provides (IdP) in the federation.

In order to allow the user to select the appropriate IdP service the user
may first be directed to a SAML discovery service (often called WAYF =
"Where Are You From"). The WAYF service redirects the user back to the
original service with information about the selected IdP. The Service
locates the IdP from the metadata and redirects the user to its IdP for
identification. The user is then handed a ticket (SAML assertion) and gets
redirected back to the service with the ticket.

Again, this is very common and designed and has undergone thorough security
reviews in a very large community.

I think it is very bold of the IETF to claim that SAML got it wrong and
should not be allowed.

Unfortunately, for these reasons I still don't think the proposed text is
satisfactory

/Stefan


On 10-09-09 12:01 AM, "Peter Saint-Andre" <stpeter@stpeter.im> wrote:

> On 9/8/10 11:28 AM, Stefan Santesson wrote:
>> For clarity, I'll provide two examples where I think it is motivated to
>> obtain the FQDN reference identifier in an automated fashion and not through
>> direct user input or configuration (contrary to section 5.1).
> 
> Thanks for the examples.
> 
>> 1) Obtaining EU Trusted Lists
>> EU has standardized on XML based lists over national Trust Service Providers
>> and their certificates. Each country in the EU publish their own list.
>> The EU commission provides a central list with all the URLs to each national
>> list.
>> 
>> The first step is for the client to establish a secure connection with the
>> EU commission and download the EU list. This is done by configuration.
>> 
>> The second step is to automatically obtain reference identifiers for all
>> national lists from the EU list.
>> 
>> 
>> 2) Redirects from a trusted service.
>> If I connect to a trusted service and then get redirected to another host,
>> it can be reasonable to obtain the reference identifier from the rediricet.
>> Typical application I can think of is a redirect to a SAML IdP or a SAML
>> Discovery service.
> 
> It seems to me that in both of these cases, the user has placed trust in
> a certain entity (the EU's system of trust service providers, a
> particular trusted service) and has configured his or her application
> client to allow that entity to transform a source domain into a
> target-domain-based reference identifier for the purposes of secure
> connection. (One could argue that DNSSEC might result in a similar
> arrangement.)
> 
> Would the following text address the scenarios you mention?
> 
> ###
> 
> 5.1.  Service Delegation
> 
>    When the connecting application is an interactive client, the source
>    domain name and service type SHOULD be provided by a human user (e.g.
>    when specifying the server portion of the user's account name on the
>    server or when explicitly configuring the client to connect to a
>    particular host or URI as in [SIP-LOC]) and SHOULD NOT be derived
>    from the user inputs in an automated fashion (e.g., a host name or
>    domain name discovered through DNS resolution of the source domain).
>    This rule is important because only a match between the user inputs
>    (in the form of a reference identifier) and a presented identifier
>    enables the client to be sure that the certificate can legitimately
>    be used to secure the connection.
> 
>    There are several scenarios in which it can be legitimate for an
>    interactive client to override the recommendation in the foregoing
>    rule.  Examples include:
> 
>    1.  A human user has explicitly configured the client to associate a
>        particular target domain with a given source domain (e.g., for
>        connection and identity checking purposes the user has explicitly
>        approved "apps.example.net" as the target domain associated with
>        a source domain of "example.com").
> 
>    2.  A human user has explicitly agreed to trust a service that
>        provides mappings of source domains to target domains, such as a
>        dedicated discovery service or an identity service that securely
>        redirects requests from the source domain to a target domain
>        (however, such an arrangement is not encouraged and if a client
>        supports such a service then it needs to disable it by default
>        and carefully warn the user about the possible negative
>        consequences of trusting such a service).
> 
> ###
> 
> I'm quite leery of these identity mapping services you have mentioned; I
> can see that some people might trust them, but I think we need to
> encourage clients to clearly and forcefully warn users about them,
> because trusting such a service means handing over a great deal of power.
> 
> /psa
> 
>> /Stefan
>> 
>> 
>> On 10-09-08 4:21 PM, "Stefan Santesson" <stefan@aaa-sec.com> wrote:
>> 
>>> My apology,
>>> 
>>> I just realized that the document defines "source domain" as what I thought
>>> would be the "target domain"
>>> 
>>>    source domain:  The fully-qualified DNS domain name that a client
>>>       expects an application service to present in the certificate.
>>> 
>>> Which makes my comments below a bit wrong.
>>> 
>>> I think it would be better to discuss this in terms of "reference
>>> identifier"
>>> and "presented Identifier".
>>> 
>>>    presented identifier:  An identifier that is presented by a server to
>>>       a client within the server's PKIX certificate when the client
>>>       attempts to establish a secure connection with the server; the
>>>       certificate can include one or more presented identifiers of
>>>       different types.
>>> 
>>>    reference identifier:  An identifier that is used by the client for
>>>       matching purposes when checking the presented identifiers; the
>>>       client can attempt to match multiple reference identifiers of
>>>       different types.
>>> 
>>> I see no problem in obtaining the reference identifier from a DNS lookup an
>>> the comparing it with a presented identifier in the certificate.
>>> 
>>> Why would you require the reference identity to be provided by a human user?
>>> 
>>> /Stefan
>>> 
>>> 
>>> 
>>> On 10-09-08 3:40 PM, "Stefan Santesson" <stefan@aaa-sec.com> wrote:
>>> 
>>>> Being the author of RFC 4985 I agree with most of you say here.
>>>> 
>>>> Comments in line;
>>>> 
>>>> On 10-09-06 8:48 PM, "Bernard Aboba" <bernard_aboba@hotmail.com> wrote:
>>>> 
>>>>> That was in fact my original question.
>>>>> 
>>>>> Section 5.1 states that the source domain and service type MUST be
>>>>> provided by a human user, and can't be derived.  Yet in an SRV or
>>>>> DDDS lookup, it is not the source domain that is derived, it is the
>>>>> target domain.  Given that, it's not clear to me what types of DNS
>>>>> resolutions are to be discouraged.
>>>>> 
>>>> 
>>>> This puzzled me as well. The domain of interest is the domain where the
>>>> requested service is located = target domain.
>>>> 
>>>>> As noted elsewhere, RFC 4985 appears to require matching of the
>>>>> source domain/service type to the SRV-ID in the certificate.
>>>> 
>>>> It is not. RFC 4985 says the following in section 2:
>>>> 
>>>>       _Service.Name
>>>> 
>>>> <snip>
>>>> 
>>>>       Name
>>>>          The DNS domain name of the domain where the specified service
>>>>          is located.
>>>> 
>>>> 
>>>>>  Such
>>>>> a process would be consistent with a match between user inputs
>>>>> (the source domain and service type) and the presented identifier
>>>>> (the SRV-ID).
>>>>> 
>>>> 
>>>> Since this is not the definition of SRVName, this type of matching does not
>>>> apply.
>>>> 
>>>>> 
>>>>>> Yet, Section 5.1 states:
>>>>>> 
>>>>>> When the connecting application is an interactive client, the source
>>>>>>    domain name and service type MUST be provided by a human user (e.g.
>>>>>>    when specifying the server portion of the user's account name on the
>>>>>>    server or when explicitly configuring the client to connect to a
>>>>>>    particular host or URI as in [SIP-LOC]) and MUST NOT be derived from
>>>>>>    the user inputs in an automated fashion (e.g., a host name or domain
>>>>>>    name discovered through DNS resolution of the source domain).  This
>>>>>>    rule is important because only a match between the user inputs (in
>>>>>>    the form of a reference identifier) and a presented identifier
>>>>>>    enables the client to be sure that the certificate can legitimately
>>>>>>    be used to secure the connection.
>>>>>> 
>>>>>>    However, an interactive client MAY provide a configuration setting
>>>>>>    that enables a human user to explicitly specify a particular host
>>>>>>    name or domain name (called a "target domain") to be checked for
>>>>>>    connection purposes.
>>>>>> 
>>>>>> [TP] what I thought was about to be raised here was a contradiction that
>>>>>> RFC4985
>>>>>> is all about information gotten from a DNS retrieval whereas the wording
>>>>>> of
>>>>>> s5.1
>>>>>> in this I-D
>>>>>> 
>>>>>> "the source
>>>>>>    domain name and service type  ...  MUST NOT be derived from
>>>>>>    the user inputs in an automated fashion (e.g., ... discovered through
>>>>>> DNS
>>>>>> resolution ... "
>>>>>> 
>>>>>> would appear to exclude DNS resolution.  If DNS resolution is off limits,
>>>>>> then
>>>>>> RFC4985 would appear not to apply.
>>>>>> 
>>>> 
>>>> RFC 4985 provides the client with a way to authenticate a host that it
>>>> believes is authorized to provide a specific service in the target domain.
>>>> 
>>>> It does not matter from where the client has obtained that authorization
>>>> information or whether that information is trustworthy.
>>>> 
>>>> A client may very well do an insecure DNS lookup to discover what host is
>>>> providing the requested service. The client would then contact that host
>>>> and
>>>> obtained it's certificate. If the certificate is trusted and it's SRVName
>>>> matches the information provided from the DNS server, then everything is
>>>> fine.
>>>> 
>>>> The client now has assurance from the CA that this host is in fact
>>>> authorized
>>>> to provide this service.
>>>> 
>>>> 
>>>> /Stefan
>>>>

v2.23.0 | Report a Bug | By Email