Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)

"Richard L. Barnes" <rbarnes@bbn.com> Wed, 30 March 2011 20:35 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 052A83A6BC5 for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 13:35:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.549
X-Spam-Level:
X-Spam-Status: No, score=-102.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vk95CRq9lwkP for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 13:35:19 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id AB9D63A6A64 for <keyassure@ietf.org>; Wed, 30 Mar 2011 13:35:19 -0700 (PDT)
Received: from [128.89.255.154] (port=60607 helo=dhcp-436b.meeting.ietf.org) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1Q528L-000Jgm-VE; Wed, 30 Mar 2011 16:36:54 -0400
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <72CD6385-5FBF-41FF-90D5-71B7A2A87BE1@nzrs.net.nz>
Date: Wed, 30 Mar 2011 22:36:38 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA930FC6-5181-451B-B2A2-35EB1F9AB6F4@bbn.com>
References: <4D7BFB41.4000403@vpnc.org> <20110321092514.GE9247@anguilla.noreply.org> <AFFDB7BB-8749-4638-AB2D-9ACB617204AC@kirei.se> <20110321130430.GG9247@anguilla.noreply.org> <4BC9E139-CBC5-46EE-A18F-E8F16AE108D6@vpnc.org> <20110330091416.GI681@anguilla.noreply.org> <p06240803c9b8c1a35d7c@[130.129.71.125]> <F0969248-124A-4A32-9F8F-EA81B17FDE05@bbn.com> <20EEA73E-9E5E-4D8F-B70C-BD6DF37F60E6@nzrs.net.nz> <0D12CEFF-68F5-49C1-B4A9-6A0572936B3C@bbn.com> <72CD6385-5FBF-41FF-90D5-71B7A2A87BE1@nzrs.net.nz>
To: Jay Daley <jay@nzrs.net.nz>
X-Mailer: Apple Mail (2.1082)
Cc: Peter Palfrader <peter@palfrader.org>, keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [keyassure] CN/SAN matching (was: End entity certificate matching, trust anchors, and protocol-06)
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 20:35:21 -0000

The milestone reads:
"
April 2011 - First WG draft of standards-track protocol for using DNS to associate hosts with keys for TLS and DTLS
"
So no, not updating 2818, 3207, etc.

The upshot of this naming discussion is that nothing that touches names is going to be general to TLS and DTLS.  So if you want to update 2818 to use DANE for name matching, you'll have to do it in a separate document, either as a new DANE milestone or (more likely) in TLS.  

--Richard



On Mar 30, 2011, at 10:14 PM, Jay Daley wrote:

> 
> On 31/03/2011, at 9:03 AM, Richard L. Barnes wrote:
> 
>> Nope, it's up to applications.  If you want SN/CAN *not* to be checked for HTTPS, then you need to go revise RFC 2818; for SMTP, RFC 3207; for IMAP/POP3, RFC 2595.
> 
> Indeed.
> 
> I assumed we were updating RFC 2818.
> 
> As for RFC 3207 that says this gem, which is as much use as a chocolate teapot and so will need updating:
> 
> -  A SMTP client would probably only want to authenticate an SMTP
>   server whose server certificate has a domain name that is the
>   domain name that the client thought it was connecting to."
> 
> And RFC 2595 is going to need updating because the name check is specific:
> 
>   - The client MUST use the server hostname it used to open the
>     connection as the value to compare against the server name as
>     expressed in the server certificate.  The client MUST NOT use any
>     form of the server hostname derived from an insecure remote source
>     (e.g., insecure DNS lookup).  CNAME canonicalization is not done.
> 
> Jay
> 
>> 
>> --Richard
>> 
>> 
>> 
>> On Mar 30, 2011, at 9:45 PM, Jay Daley wrote:
>> 
>>> I would argue the complete opposite - that it is in scope for DANE to state that names in certificates should not be checked because the trust chain has been provided by DNSSEC.  Doing that allows individuals and organisations to reuse certificates as they need to for operational reasons and not as dictated to by suppliers or paranoid protocol developers.
>>> 
>>> Jay
>>> 
>>> On 31/03/2011, at 12:55 AM, Richard L. Barnes wrote:
>>> 
>>>> This is outside of DANE's scope.  Checking of names in certificates is up to the application that uses TLS.
>>>> --Richard
>>>> 
>>>> 
>>>> On Mar 30, 2011, at 1:19 PM, Stephen Kent wrote:
>>>> 
>>>>> At 11:14 AM +0200 3/30/11, Peter Palfrader wrote:
>>>>>> On Mon, 21 Mar 2011, Paul Hoffman wrote:
>>>>>> 
>>>>>>> On Mar 21, 2011, at 6:04 AM, Peter Palfrader wrote:
>>>>>>>> Why is it needed in the first place?
>>>>>>> 
>>>>>>> That's a very good question. I don't feel that it is a "need", but it
>>>>>>> "makes some sense". That is, if I want to go to www.example.com, and I
>>>>>>> get an A record for www.example.com, and I get a TLSA record for
>>>>>>> _http._tcp.www.example.com, and I get a certificate that says "this
>>>>>>> key is associated with www.somethingelse.com"quot;, what does it mean?
>>>>>>> 
>>>>>>> I can see both ways: "it doesn't matter what the cert says, we are
>>>>>>> trusting the binding from the DNS" vs. "the cert needs to mean
>>>>>>> something"? Jakob and I have that text in because a number of people
>>>>>>> on the list were in the latter category, but it seems like a
>>>>>>> reasonable question to ask separately.
>>>>>> 
>>>>>> I wonder if one approach here would be to require a match if, and only
>>>>>> if, any naming attributes (CN, SubjectAltName) are in the certificate.
>>>>>> 
>>>>>> If there are no CN and no SAN attributes in the certificate then that
>>>>>> would be acceptable too.
>>>>>> 
>>>>>> Cheers,
>>>>>> Peter
>>>>> 
>>>>> A CN is a type of attribute in the Subject DN.  A SAN admits a variety of name types, some of which can have attributes. Do you mean to focus on DNS names as SANs or did you have a broader range of SANs in mind?
>>>>> 
>>>>> Steve
>>>>> _______________________________________________
>>>>> keyassure mailing list
>>>>> keyassure@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/keyassure
>>>> 
>>>> _______________________________________________
>>>> keyassure mailing list
>>>> keyassure@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/keyassure
>>> 
>>> 
>>> -- 
>>> Jay Daley
>>> Chief Executive
>>> .nz Registry Services (New Zealand Domain Name Registry Limited)
>>> desk: +64 4 931 6977
>>> mobile: +64 21 678840
>>> 
>> 
> 
> 
> -- 
> Jay Daley
> Chief Executive
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 931 6977
> mobile: +64 21 678840
>