[pkix] RFC 6125, Server Identity Check and insecure DNS lookup
Jeffrey Walton <noloader@gmail.com> Mon, 02 February 2015 03:05 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E75C1A9253 for <pkix@ietfa.amsl.com>; Sun, 1 Feb 2015 19:05:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1PVCvuTgfHM for <pkix@ietfa.amsl.com>; Sun, 1 Feb 2015 19:05:27 -0800 (PST)
Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19E321A9250 for <pkix@ietf.org>; Sun, 1 Feb 2015 19:05:27 -0800 (PST)
Received: by mail-ie0-f171.google.com with SMTP id tr6so14855807ieb.2 for <pkix@ietf.org>; Sun, 01 Feb 2015 19:05:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; bh=GJFJ52perLMbgv8VzTxuUUrIjfeMmjea98PTYSFQqlE=; b=KBCRIeIp2JwwQXvn7UO9TlFM/RRCfGS+FO/1X/QYRB1p9p9yFFQz07P8rsVeaGNjMA NUaa390jHb6cbGog2b5uRRzcyMPrlFXgRPvQJLA+Wk2YHx7XueaJOf5aBqiKTzIp3Yge 0y2SJKqQALQaUPMmWCr7ttlSUSs0zH8El7RKoHuGfAbOV/usTFZ4WXjtbeAXsYoOZN1P kLrRL59kbTWK7hX/XqDBav4VS3rVN9InUL2M/5t777G3QjVGUFgklnpddO87o5ypuxyt xLtZbncJ4azqw1tItdhNWyri2UgbNwx5recSGKa2Yn+7ZLs9wqjeiacqPjgCheyUHMLb qjzA==
MIME-Version: 1.0
X-Received: by 10.107.132.101 with SMTP id g98mr14770560iod.66.1422846326181; Sun, 01 Feb 2015 19:05:26 -0800 (PST)
Received: by 10.36.20.15 with HTTP; Sun, 1 Feb 2015 19:05:26 -0800 (PST)
Date: Sun, 01 Feb 2015 22:05:26 -0500
Message-ID: <CAH8yC8k0mD4J9cSdryVytUCs=jvV4xAv0ogBO+42Y5SFkucegw@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: PKIX <pkix@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/3tsQRPLYQT1NVlcT8rtsogQMDsM>
Subject: [pkix] RFC 6125, Server Identity Check and insecure DNS lookup
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 03:05:28 -0000
What does RFC 6125 mean when they say the following:
2.4. Server Identity Check
o The client MUST use the server hostname it used to open the
connection as the value to compare against the server name as
expressed in the server certificate. The client MUST NOT use any
form of the server hostname derived from an insecure remote source
(e.g., insecure DNS lookup). CNAME canonicalization is not done.
Is this saying that all DNS is considered insecure, and only the
original hostname used by the client should be used for validation?
Or is it saying its OK to follow the CNAME aliases when using a
"secure" DNS, like DNSSEC?
Or is it saying something else?
- [pkix] RFC 6125, Server Identity Check and insecu… Jeffrey Walton
- Re: [pkix] RFC 6125, Server Identity Check and in… Martin Rex
- Re: [pkix] RFC 6125, Server Identity Check and in… Jeffrey Walton