Re: [pkix] [lamps] Fwd: [Technical Errata Reported] RFC5280 (5997)
Benjamin Kaduk <kaduk@mit.edu> Tue, 03 March 2020 05:16 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002233A1870; Mon, 2 Mar 2020 21:16:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gSi5EM1LMcAS; Mon, 2 Mar 2020 21:16:01 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 232B83A1873; Mon, 2 Mar 2020 21:16:00 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0235Fucu003957 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 3 Mar 2020 00:15:58 -0500
Date: Mon, 02 Mar 2020 21:15:55 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Russ Housley <housley@vigilsec.com>, SPASM <spasm@ietf.org>, IETF PKIX <pkix@ietf.org>
Message-ID: <20200303051555.GQ98042@kduck.mit.edu>
References: <20200227225404.CA7ADF40714@rfc-editor.org> <CAErg=HEUhTvuhxEv91C8GQZd01XiPByfaqjcvRmgJ00+C2QNRw@mail.gmail.com> <48F9976F-C087-4695-BA63-8DAA730A4906@vigilsec.com> <CAErg=HEAPkYXudf_p9oES5yh+T-5_DxpViuw-JCpeqx-8fNKOw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAErg=HEAPkYXudf_p9oES5yh+T-5_DxpViuw-JCpeqx-8fNKOw@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/30FDNku_NHhJlpJZzD3BGhsz4HU>
Subject: Re: [pkix] [lamps] Fwd: [Technical Errata Reported] RFC5280 (5997)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 05:16:04 -0000
That does seem like the right higher-order question, but it seems (to me) fairly inevitable that this errata report must be classified as "hold for document update" to give the WG a chance to make a definitive decision, as the original intent remains unclear. -Ben On Fri, Feb 28, 2020 at 01:52:07PM -0500, Ryan Sleevi wrote: > Thanks. You're absolutely right, that was an oversight on my part. > > I think the higher-order question is what the syntax is "meant" to be, as > the use of an illustrative example alone has lead to confusion. Even if a > future revision retroactively 'blesses' ".example.com" as an ambiguity > within 5280, the semantics of that are also ambiguous. > > On Fri, Feb 28, 2020 at 1:39 PM Russ Housley <housley@vigilsec.com> wrote: > > > Ryan: > > > > I see the point you are trying to make, but the exact substitution that > > you propose breaks the sentence that follows. > > > > OLD > > > > DNS name restrictions are expressed as host.example.com. Any DNS > > name that can be constructed by simply adding zero or more labels to > > the left-hand side of the name satisfies the name constraint. For > > example, www.host.example.com would satisfy the constraint but > > host1.example.com would not. > > > > NEW > > > > For DNS names, restrictions MUST use the dNSName syntax in > > Section 4.2.1.6. Any DNS name that can be constructed by simply > > adding zero or more labels to the left-hand side of the name satisfies > > the name constraint. For example, if the constraint contains > > host.example.com, then www.host.example.com would satisfy the > > constraint but host1.example.com would not. > > > > On Feb 28, 2020, at 1:03 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > > > > I've heard word that this may not have gone out to the PKIX list, but I > > did want to pass this along with LAMPS. > > > > As both the current syntax and semantics are ambiguous, judging by > > implementation behaviour, I'm totally appreciative that the suggested > > change might be rejected or might be held for a hypothetical document > > update in the future. > > > > However, I did want to bring to broader attention and document the fact > > that the ambiguity has lead to different levels of guarantees. It was > > recently pointed out to me that Apple adopted the "URI-like" syntax, as > > discussed at > > https://cabforum.org/pipermail/servercert-wg/2020-February/001676.html , > > while as mentioned in the Errata, Go and OpenSSL seem to have adopted the > > "PEBKAC" syntax of assuming it's an encoding error. > > > > Within the Web PKI, tools like Amazon's certlint treats this as an error, > > while tools like ZLint inherit Golang's permissiveness. As a consequence, > > unless the CA applies both checks (which is strongly recommended, due to > > certlint attempting to compile the ASN.1 modules to offer stricter > > validation), it's possible that such certificates might continue to > > proliferate. As discussed within the linked Golang issue, there's > > unfortunately a number of documentation examples that use the leading > > period example, and so RFC 5280 CAs that don't participate exclusively in > > the Web PKI are even more at risk of the varying interpretations. > > > > ---------- Forwarded message --------- > > From: RFC Errata System <rfc-editor@rfc-editor.org> > > Date: Thu, Feb 27, 2020 at 5:54 PM > > Subject: [Technical Errata Reported] RFC5280 (5997) > > To: <david.cooper@nist.gov>, <stefans@microsoft.com>, < > > stephen.farrell@cs.tcd.ie>, <sharon.boeyen@entrust.com>, < > > housley@vigilsec.com>, <wpolk@nist.gov>, <rdd@cert.org>, <kaduk@mit.edu>, > > <kent@bbn.com>, <stefan@aaa-sec.com> > > Cc: <ryan-pkix@sleevi.com>, <pkix@ietf.org>, <rfc-editor@rfc-editor.org> > > > > > > The following errata report has been submitted for RFC5280, > > "Internet X.509 Public Key Infrastructure Certificate and Certificate > > Revocation List (CRL) Profile". > > > > -------------------------------------- > > You may review the report below and at: > > https://www.rfc-editor.org/errata/eid5997 > > > > -------------------------------------- > > Type: Technical > > Reported by: Ryan Sleevi <ryan-pkix@sleevi.com> > > > > Section: 4.2.1.10 > > > > Original Text > > ------------- > > DNS name restrictions are expressed as host.example.com. Any DNS > > name that can be constructed by simply adding zero or more labels to > > the left-hand side of the name satisfies the name constraint. > > > > Corrected Text > > -------------- > > The syntax of dNSName MUST be as described in Section 4.2.1.6. Any DNS > > name that can be constructed by simply adding zero or more labels to > > the left-hand side of the name satisfies the name constraint. > > > > Notes > > ----- > > Currently, the syntax for a dNSName nameConstraint is left implicit, and > > thus has resulted in ambiguities in encoding and processing that have > > resulted in ineroperability issues. > > > > One interpretation is that the dNSName nameConstraint must be a valid > > "host name" (as discussed in RFC 8499), which is to say must be a > > Fully-Qualified Domain Name in the preferred name syntax. This > > interpretation is supported by Section 4.2.1.6, which explicitly states > > that for the subjectAltName. As 4.2.1.10 does not define an exception to > > this (as discussed in Appendix B), the interpretation, along with the > > existing example, would conclude that this field uses preferred name > > syntax, and that "DNS name" here matches the "host name" interpretation > > from RFC 8499 > > > > A different interpretation is that the dNSName nameConstraint uses the > > modified syntax similar to the URI nameConstraint. That is, it explicitly > > permits a leading period to indicate that one or more labels preceding is > > required in order to satisfy the constraint. This allows subdomains, but > > does not allow the base domain to match. While the language for the DNS > > name constraint makes it clear that a host name with no preceding period > > matches both that host and sub-domains, the existence of a preceding period > > would constraint it to only subdomains. > > > > Aligning with Section 4.2.1.6 would prohibit the latter interpretation, as > > the preferred name syntax does not permit leading periods. Alternatively, > > if the latter interpretation is intended, this section would benefit from > > making that explicit. > > > > This has been a source of interoperability issues, with additional > > information and discussion captured at: > > - https://github.com/golang/go/issues/16347 > > - https://rt.openssl.org/Ticket/Display.html?id=3562 > > > > While "running code" has aligned in being permissive with a leading > > period, implementations have gone and seemingly aligned on a third > > interpretation: > > > > The syntax of a dNSName MUST be as described in Section 4.2.1.6, with the > > exception that it MAY contain a leading period. Any DNS name that can be > > constructed by simply adding zero or more labels to the left-hand side of > > the name, ignoring any leading period, satisfies the name constraint. > > > > This seems to support implementations expecting the first interpretation > > in the certificates they receive, and seeing leading period as an encoding > > mistake, not an explicit desire for the second interpretation. > > > > Instructions: > > ------------- > > This erratum is currently posted as "Reported". If necessary, please > > use "Reply All" to discuss whether it should be verified or > > rejected. When a decision is reached, the verifying party > > can log in to change the status and edit the report, if necessary. > > > > -------------------------------------- > > RFC5280 (draft-ietf-pkix-rfc3280bis-11) > > -------------------------------------- > > Title : Internet X.509 Public Key Infrastructure Certificate > > and Certificate Revocation List (CRL) Profile > > Publication Date : May 2008 > > Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. > > Housley, W. Polk > > Category : PROPOSED STANDARD > > Source : Public-Key Infrastructure (X.509) > > Area : Security > > Stream : IETF > > Verifying Party : IESG > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://www.ietf.org/mailman/listinfo/spasm > > > > > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- Re: [pkix] [lamps] Fwd: [Technical Errata Reporte… Russ Housley
- Re: [pkix] [lamps] Fwd: [Technical Errata Reporte… Ryan Sleevi
- Re: [pkix] [lamps] Fwd: [Technical Errata Reporte… Benjamin Kaduk
- Re: [pkix] [lamps] [Technical Errata Reported] RF… Russ Housley