Re: [pkix] Registration of a new sAN:otherName (NAIRealm)
mrex@sap.com (Martin Rex) Fri, 05 July 2013 22:57 UTC
Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6759121F9EB5 for <pkix@ietfa.amsl.com>; Fri, 5 Jul 2013 15:57:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.679
X-Spam-Level:
X-Spam-Status: No, score=-9.679 tagged_above=-999 required=5 tests=[AWL=-0.030, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_39=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0Jy5DX1rO7D for <pkix@ietfa.amsl.com>; Fri, 5 Jul 2013 15:56:59 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 054CD21F9E9E for <pkix@ietf.org>; Fri, 5 Jul 2013 15:56:58 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r65MulZ9014600 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 6 Jul 2013 00:56:48 +0200 (MEST)
In-Reply-To: <009001ce79c7$62c69f80$2853de80$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
Date: Sat, 06 Jul 2013 00:56:47 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130705225647.D5D251A881@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: pkix@ietf.org
Subject: Re: [pkix] Registration of a new sAN:otherName (NAIRealm)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2013 22:57:03 -0000
Jim Schaad wrote: > > > > > > > The section numbers are still the same. There is one change in content: > > > It's not an IA5String but a UTF8String. The value in the cert needs to > > > be compared with the NAI realm; and that realm is itself UTF-8. So to > > > enable byte-by-byte comparison of non-ASCII realms, it's got to be > > > UTF8String. > > > > Uh-oh! > > > > Comparisons for the purpose of authentication (or endpoint identification) > > require clear and strict canonicalization and comparison rules (e.g. case- > > sensitivity). > > In this case the ramifications are being considered in the document > describing NAIs (http://datatracker.ietf.org/doc/draft-ietf-radext-nai/) and > we have been beating this issue around for a long time. The draft you mention properly describes the underlying problem: We RECOMMEND that the owner of the realm pre-provision all proxies with the "utf8-realm" portion of the NAI, along with the value returned from passing the "utf8-realm" to the ToAscii function. This key-value pair can then be placed into the logical AAA routing table discussed above. Having only one entity perform the ToAscii function ensures that the result returned by that function are considered as canonical by all other participants in a AAA network. For the TLS extension ServerNameIndication this means, that the certifcate (sAN-DNSName) *MUST* contain the A-label (which is also necessary since it is limited to IA5String), and the TLS extension SNI conveys the A-label, and the Server does a binary matching of the server name conveyed through TLSextSNI to the DNSName-sANs of his server certificates. In the TLSextSNI scenario, the "only one entity" doing the ToAscii is the TLS Client (more likely the application caller on top of it), so that what the client will use to perform ServerEndpointIdentification with the Server's Certificate is the exact same A-Label that is sent in TLSextSNI and the exact same A-Label that the server uses for choosing the most appropriate server certificate. Admittedly, I haven't check this draft, but storing an UTF8String in a certificate sAN is very likely to cause multiple independent entities having to compare user input to that sAN, and the trouble-maker that the above paragraph warns about. -Martin
- [pkix] Registration of a new sAN:otherName (NAIRe… Stefan Winter
- Re: [pkix] Registration of a new sAN:otherName (N… Russ Housley
- Re: [pkix] Registration of a new sAN:otherName (N… Stefan Santesson
- Re: [pkix] Registration of a new sAN:otherName (N… Stefan Winter
- Re: [pkix] Registration of a new sAN:otherName (N… Stefan Winter
- Re: [pkix] Registration of a new sAN:otherName (N… Stefan Winter
- Re: [pkix] Registration of a new sAN:otherName (N… Martin Rex
- Re: [pkix] Registration of a new sAN:otherName (N… Jim Schaad
- Re: [pkix] Registration of a new sAN:otherName (N… Martin Rex
- Re: [pkix] Registration of a new sAN:otherName (N… Stefan Winter