RE: Review of draft-saintandre-tls-server-id-check
"Bernard Aboba" <bernard_aboba@hotmail.com> Wed, 08 September 2010 15:44 UTC
Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BF293A68FE for <ietf@core3.amsl.com>; Wed, 8 Sep 2010 08:44:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.719
X-Spam-Level:
X-Spam-Status: No, score=-101.719 tagged_above=-999 required=5 tests=[AWL=0.880, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ja-B5dS2Dp+Y for <ietf@core3.amsl.com>; Wed, 8 Sep 2010 08:44:30 -0700 (PDT)
Received: from blu0-omc3-s29.blu0.hotmail.com (blu0-omc3-s29.blu0.hotmail.com [65.55.116.104]) by core3.amsl.com (Postfix) with ESMTP id 505C23A6807 for <ietf@ietf.org>; Wed, 8 Sep 2010 08:44:30 -0700 (PDT)
Received: from BLU137-DS6 ([65.55.116.74]) by blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 8 Sep 2010 08:44:58 -0700
X-Originating-IP: [131.107.0.117]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU137-DS69B0923178A60054D68C493720@phx.gbl>
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: 'Stefan Santesson' <stefan@aaa-sec.com>, daedulus@btconnect.com, ietf@ietf.org, stpeter@stpeter.im
References: <C8AD5ED8.EB30%stefan@aaa-sec.com> <C8AD687B.EB60%stefan@aaa-sec.com>
In-Reply-To: <C8AD687B.EB60%stefan@aaa-sec.com>
Subject: RE: Review of draft-saintandre-tls-server-id-check
Date: Wed, 08 Sep 2010 08:44:56 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJzixGRwY1Y6YNH0PthPoweAPd1wpG3we7w
Content-Language: en-us
X-OriginalArrivalTime: 08 Sep 2010 15:44:58.0388 (UTC) FILETIME=[CA92ED40:01CB4F6C]
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 15:44:34 -0000
So the statement that "RFC 4985 appears to require matching of the source domain/service type to the SRV-ID in the certificate" is correct, right? If the "reference identifier" is _Service.Name then the match is being done on the *input* to the SRV lookup process, not the output, and prohibition on DNS lookups would not apply (or even make any sense). -----Original Message----- From: Stefan Santesson [mailto:stefan@aaa-sec.com] Sent: Wednesday, September 08, 2010 7:21 AM To: Bernard Aboba; daedulus@btconnect.com; ietf@ietf.org; stpeter@stpeter.im Subject: Re: Review of draft-saintandre-tls-server-id-check My apology, I just realized that the document defines "source domain" as what I thought would be the "target domain" source domain: The fully-qualified DNS domain name that a client expects an application service to present in the certificate. Which makes my comments below a bit wrong. I think it would be better to discuss this in terms of "reference identifier" and "presented Identifier". presented identifier: An identifier that is presented by a server to a client within the server's PKIX certificate when the client attempts to establish a secure connection with the server; the certificate can include one or more presented identifiers of different types. reference identifier: An identifier that is used by the client for matching purposes when checking the presented identifiers; the client can attempt to match multiple reference identifiers of different types. I see no problem in obtaining the reference identifier from a DNS lookup an the comparing it with a presented identifier in the certificate. Why would you require the reference identity to be provided by a human user? /Stefan On 10-09-08 3:40 PM, "Stefan Santesson" <stefan@aaa-sec.com> wrote: > Being the author of RFC 4985 I agree with most of you say here. > > Comments in line; > > On 10-09-06 8:48 PM, "Bernard Aboba" <bernard_aboba@hotmail.com> wrote: > >> That was in fact my original question. >> >> Section 5.1 states that the source domain and service type MUST be >> provided by a human user, and can't be derived. Yet in an SRV or >> DDDS lookup, it is not the source domain that is derived, it is the >> target domain. Given that, it's not clear to me what types of DNS >> resolutions are to be discouraged. >> > > This puzzled me as well. The domain of interest is the domain where > the requested service is located = target domain. > >> As noted elsewhere, RFC 4985 appears to require matching of the >> source domain/service type to the SRV-ID in the certificate. > > It is not. RFC 4985 says the following in section 2: > > _Service.Name > > <snip> > > Name > The DNS domain name of the domain where the specified service > is located. > > >> Such >> a process would be consistent with a match between user inputs (the >> source domain and service type) and the presented identifier (the >> SRV-ID). >> > > Since this is not the definition of SRVName, this type of matching > does not apply. > >> >>> Yet, Section 5.1 states: >>> >>> When the connecting application is an interactive client, the source >>> domain name and service type MUST be provided by a human user (e.g. >>> when specifying the server portion of the user's account name on the >>> server or when explicitly configuring the client to connect to a >>> particular host or URI as in [SIP-LOC]) and MUST NOT be derived from >>> the user inputs in an automated fashion (e.g., a host name or domain >>> name discovered through DNS resolution of the source domain). This >>> rule is important because only a match between the user inputs (in >>> the form of a reference identifier) and a presented identifier >>> enables the client to be sure that the certificate can legitimately >>> be used to secure the connection. >>> >>> However, an interactive client MAY provide a configuration setting >>> that enables a human user to explicitly specify a particular host >>> name or domain name (called a "target domain") to be checked for >>> connection purposes. >>> >>> [TP] what I thought was about to be raised here was a contradiction >>> that >>> RFC4985 >>> is all about information gotten from a DNS retrieval whereas the >>> wording of >>> s5.1 >>> in this I-D >>> >>> "the source >>> domain name and service type ... MUST NOT be derived from >>> the user inputs in an automated fashion (e.g., ... discovered >>> through DNS resolution ... " >>> >>> would appear to exclude DNS resolution. If DNS resolution is off >>> limits, then >>> RFC4985 would appear not to apply. >>> > > RFC 4985 provides the client with a way to authenticate a host that it > believes is authorized to provide a specific service in the target domain. > > It does not matter from where the client has obtained that > authorization information or whether that information is trustworthy. > > A client may very well do an insecure DNS lookup to discover what host > is providing the requested service. The client would then contact that > host and obtained it's certificate. If the certificate is trusted and > it's SRVName matches the information provided from the DNS server, then everything is fine. > > The client now has assurance from the CA that this host is in fact > authorized to provide this service. > > > /Stefan >
- Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check =JeffH
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: [xmpp] Review of draft-saintandre-tls-server-… Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- RE: Review of draft-saintandre-tls-server-id-check Bernard Aboba
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Martin Rex
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Paul Hoffman
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Richard L. Barnes
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Peter Saint-Andre
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Stefan Santesson
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Dave Cridland
- Re: [certid] Review of draft-saintandre-tls-serve… Shumon Huque
- Re: [certid] Review of draft-saintandre-tls-serve… Dave Cridland
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check t.petch
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Re: Review of draft-saintandre-tls-server-id-check Peter Saint-Andre
- Why require EKU for certid? Paul Hoffman
- Re: Why require EKU for certid? Peter Saint-Andre
- Re: [certid] Why require EKU for certid? Martin Rex
- RE: [TLS] Why require EKU for certid? Jim Schaad
- Re: [certid] Why require EKU for certid? Henry B. Hotz