IETF Logo Mail Archive

Re: [Ntp] Wildcards in NTS certificate checking

"Salz, Rich" <rsalz@akamai.com> Tue, 19 April 2022 17:58 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B70F3A07FB for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 10:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcwTOLr5jgeY for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 10:58:44 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB10A3A0FD8 for <ntp@ietf.org>; Tue, 19 Apr 2022 10:58:37 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.17.1.5/8.17.1.5) with ESMTP id 23JGlbVH016712; Tue, 19 Apr 2022 18:58:36 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=+heVtMxdefGzptU6WjFPV3rGabiBtBQJXWKKmzZ+Z3U=; b=Npz6zOTVuLJiEers60GdARJIKSdupXhG37NbZ41YFmaSjtlBpiaz5MEKTK/b3bUK1BNQ 13AkCrjjjXafD0nOZdj7nfvP+Ra9qXILhXVDb/ID3ZaSDf/0sw6i+IiDl298guqOBRNB jpwBUx7w5va9zd+QybLMn6B7i4vXHgSvJ9tL/2mj7B15vfpz+rhEwEwiDqxWcj8Enmi5 uSTj8lBjlYfRw4h9uOjwfy5QkIoZ3qLxhicxZBwRXoeGKJHmM0Hu2+oh+p9vEgCoTWLY bbMulqSGynC9fEtL3m3o5Ju/ncXp9CGhAaFlj2PCYsG0fQNeDBIN/WbRqFxruuXh5ORh kg==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by m0050096.ppops.net-00190b01. (PPS) with ESMTPS id 3ffphay6dd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Apr 2022 18:58:35 +0100
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 23JHp9TK030593; Tue, 19 Apr 2022 10:58:35 -0700
Received: from email.msg.corp.akamai.com ([172.27.91.22]) by prod-mail-ppoint5.akamai.com with ESMTP id 3ffusbwyb0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Apr 2022 10:58:34 -0700
Received: from usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) by usma1ex-dag4mb3.msg.corp.akamai.com (172.27.91.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.22; Tue, 19 Apr 2022 13:58:34 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 19 Apr 2022 13:58:34 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.033; Tue, 19 Apr 2022 13:58:34 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Hal Murray <halmurray+ietf@sonic.net>
CC: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: [Ntp] Wildcards in NTS certificate checking
Thread-Index: AQHYU82Nyiq96q7J2UqxrNSbXdK12Kz3ho4A
Date: Tue, 19 Apr 2022 17:58:33 +0000
Message-ID: <72B90BB2-7BCE-4ED9-B568-6021D5F3B8EC@akamai.com>
References: <rsalz@akamai.com> <277EB42F-0583-4FD1-8A92-FA2DAEF691AD@akamai.com> <20220419091212.4342D28C1D8@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20220419091212.4342D28C1D8@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.60.22041000
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <15A143920BC67E44B5B3E6C5F8A09A8D@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-19_06:2022-04-15, 2022-04-19 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 spamscore=0 adultscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204190102
X-Proofpoint-GUID: jmKiBbS7oNdrI8Wsz81owZNGq3Bt6Src
X-Proofpoint-ORIG-GUID: jmKiBbS7oNdrI8Wsz81owZNGq3Bt6Src
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-19_06,2022-04-15_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 impostorscore=0 priorityscore=1501 malwarescore=0 adultscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 clxscore=1015 lowpriorityscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204190103
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/dEUqW2P49FLXpCSr33LAJxpQNjI>
Subject: Re: [Ntp] Wildcards in NTS certificate checking
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2022 17:58:49 -0000

>   I think I've figured out where my confusion is/was coming from.  I was 
    thinking of 6125bis as a modification to 6125 rather than a replacement.

Well, I guess it depends on semantics.  The actual number of changes between the two is very small
	Do not use the CN field

6125 allowed wildcards (see 6.4, 6.4.2) but section 7.2 said SHOULD NOT as you point out. It doesn't say that clients SHOULD NOT use them if the server presents them, and maybe that's where you got confused?  7.2 ends with this:
   Notwithstanding the foregoing security considerations, specifications
   that reuse this one can legitimately encourage continued support for
   the wildcard character if they have good reasons to do so, such as
   backward compatibility with deployed infrastructure (see, for
   example, [EV-CERTS])

The "good reasons to do so" have evolved, and it's not longer "backward compatibility" but rather "compatibility."

I will copy the rest of your items over to the UTA working group if that's okay.

>    OpenSSL treats ".example.com" (leading dot) as matching x.example.com or 
    x.y.example.com or x.y.x.example.com ...

That's something to take up with the OpenSSL folks.  I didn't know they still do it.  They shouldn't.  But OpenSSL does many things to support testing and unusual environments.

v2.23.0 | Report a Bug | By Email