IETF Logo Mail Archive

Re: [Ntp] Wildcards in NTS certificate checking

Hal Murray <halmurray+ietf@sonic.net> Tue, 19 April 2022 09:12 UTC

Return-Path: <halmurray+ietf@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1505E3A0DC2 for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 02:12:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.909
X-Spam-Level:
X-Spam-Status: No, score=-0.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, PP_MIME_FAKE_ASCII_TEXT=0.998, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jjj9noSMMEHX for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 02:12:15 -0700 (PDT)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09ED83A0DC0 for <ntp@ietf.org>; Tue, 19 Apr 2022 02:12:14 -0700 (PDT)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (107-137-68-211.lightspeed.sntcca.sbcglobal.net [107.137.68.211]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 23J9CC7Q001060 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 19 Apr 2022 02:12:12 -0700
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 4342D28C1D8; Tue, 19 Apr 2022 02:12:12 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1
To: "Salz, Rich" <rsalz@akamai.com>
cc: Hal Murray <halmurray+ietf@sonic.net>, ntp@ietf.org
From: Hal Murray <halmurray+ietf@sonic.net>
In-Reply-To: Message from "Salz, Rich" <rsalz@akamai.com> of "Sat, 16 Apr 2022 13:58:18 -0000." <277EB42F-0583-4FD1-8A92-FA2DAEF691AD@akamai.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 19 Apr 2022 02:12:12 -0700
Message-Id: <20220419091212.4342D28C1D8@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVbiSrr6u8tOd1p3/XDj9buHkaeBbj9WiZ3mcPCh1Q8IggMn07M8NPmkYAUeWJQOc/hS9FFip3EShv90vXBjgep3zoC+HmjUid4=
X-Sonic-ID: C;OLxXzMC/7BGmYDxK8ccZ+g== M;GCmIzMC/7BGmYDxK8ccZ+g==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/EjC37Zpsp4AbCyyRmTVrjtQdydw>
Subject: Re: [Ntp] Wildcards in NTS certificate checking
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2022 09:12:19 -0000

rsalz@akamai.com said:
> You will not get a reputation for being insecure if you support wildcards.  I
> mean, c'mon, Marco has pointed out that the software is inconsistent and I've
> pointed out that it is really common practice and that your policy decisions
> seem based on lack of knowledge. I've also suggested other places you could
> go to (the UTA and TLS working groups).  What more do you want?  I'm can’t
> imagine how else I can useful contribute to this conversation. 

I think I've figured out where my confusion is/was coming from.  I was 
thinking of 6125bis as a modification to 6125 rather than a replacement.

You asked for feedback...

The part that I was looking for was an explicit statement that the "SHOULD NOT 
contain the wildcard" has been dropped.  It might help to add something like 
that to the 3rd bullet in section 1.2

IP Addresses are out of scope.  I'd like to know more, preferably a sentence 
or paragraph but at least a good reference.  It seems like a good way to avoid 
all the security tangles with DNS.

Last paragraph before section 4:  "MUST state" that wildcards are not 
supported.  How does that apply to existing RFCs?  Has that item been added to 
the reviewers checklist?  I think it would clarify things if future RFCs would 
state that wildcards are supported.

Section 6.2, last paragraph, matching DNS name and service type.  It's 
probably obvious, but worth stating.  If I'm trying to find a match for 
www:www.example.com or sip:voice.example.com, will that match a certificate 
for sip:www.example.com?

------

OpenSSL treats ".example.com" (leading dot) as matching x.example.com or 
x.y.example.com or x.y.x.example.com ...

Where did that come from?  Is there a good story? ...  Should it be explicitly 
deprecated?


-- 
These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email