IETF Logo Mail Archive

Re: [pkix] Please clarify when and where wildcards should be matched in PKIX certificates

"Ryan Sleevi" <ryan-pkix@sleevi.com> Fri, 05 June 2015 18:28 UTC

Return-Path: <ryan-pkix@sleevi.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A216D1A1B3D for <pkix@ietfa.amsl.com>; Fri, 5 Jun 2015 11:28:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n_xTwQ5DunOU for <pkix@ietfa.amsl.com>; Fri, 5 Jun 2015 11:28:48 -0700 (PDT)
Received: from homiemail-a108.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 4E3981A1B30 for <pkix@ietf.org>; Fri, 5 Jun 2015 11:28:48 -0700 (PDT)
Received: from homiemail-a108.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a108.g.dreamhost.com (Postfix) with ESMTP id 1509C2005D906; Fri, 5 Jun 2015 11:28:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=Bqq6CAUiIelr+hg3ILmIr06iJsc=; b=h4jI9/c+6p2Vq84u3 eDB4wq06kEGQd5yWpuUAFmcWtbADKbKnhpNZZyVQRPcosLeSA1e+DcNkiFBIr6hs K8W8z5EOpZI8QAOCNfe5jok0QUuOFA0b6LlwjPUuL5Y1Txui0jBXJmLQs6yLZkBn ygZXn25NSi8ZippsBhmrLBjbRU=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a108.g.dreamhost.com (Postfix) with ESMTPA id B433F2005D82C; Fri, 5 Jun 2015 11:28:46 -0700 (PDT)
Received: from 67.161.27.165 (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Fri, 5 Jun 2015 11:28:48 -0700
Message-ID: <9741bf217b3b1a3a60e567fa6886a9ba.squirrel@webmail.dreamhost.com>
In-Reply-To: <CAH8yC8mQ8t5Fd7s+yyeL2XoEkXieULN74d23aWX=wqQoqCxagw@mail.gmail.com>
References: <CAH8yC8=_PypmYYW_0XPUS0xFB6vP4N1=RTmzCjdwVnR-05H=hw@mail.gmail.com> <CAH8yC8kLgbXYZb_-AY3er5EagG5XmUDaQhL7ynRwd+GL2anJeQ@mail.gmail.com> <CAH=tA5tT4VwWQUCcQ+E9BR1+ZVnHHS4HkwGZ3zJT736wZvQk8g@mail.gmail.com> <CAH8yC8mQ8t5Fd7s+yyeL2XoEkXieULN74d23aWX=wqQoqCxagw@mail.gmail.com>
Date: Fri, 05 Jun 2015 11:28:48 -0700
From: Ryan Sleevi <ryan-pkix@sleevi.com>
To: noloader@gmail.com
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/Zt_0fqT3HRKqHVYta9VCGhHDqLw>
Cc: PKIX <pkix@ietf.org>, Tomoyuki Sahara <sahara@surt.net>
Subject: Re: [pkix] Please clarify when and where wildcards should be matched in PKIX certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-pkix@sleevi.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2015 18:28:49 -0000

On Fri, June 5, 2015 3:42 am, Jeffrey Walton wrote:
>  Tough problem in general.
>
>  (1) At the second label (with the leftmost as a wildcard), there are
>  three top levels to consider.
>
>      (A) Traditional Top Level Domains (call them gTLDs). *.COM, *.NET,
>  *.MIL,etc
>      (B) Country Top Level Domains (call them ccTLDs). *.UK, *.CN, etc
>      (C) Vanity Top level Domains (call them vTLDS). *.GOOLGE and friends

These are called Brand TLDs.

>  We can remediate (A) because its an exhaustive list. We just say NO.

Except it isn't an exhaustive list by any means, it is fluid. And you've
incorrectly lumped ".mil" in here, which is handled by the DoD Network
Information Center. .mil is a sponsored TLD fully operated by DISA/DOD
NIC, and as such, it's entirely reasonable for the DoD root CAs (which are
trusted as a matter of local policy by DoD machines, although not widely
trusted publicly) to issue *.mil, should they so wish.

>  I think (A) and (B) could (and should) be called out in PKIX
>  validation because validation is within purview of PKIX and the rules
>  are obvious.

The rules aren't obvious for a second. They change and have changed over
time.

>  We need the rules now, so there's probably no reason to wait for
>  DBOUND to deliver something. Plus, there's no guarantees DBOUND will
>  be delivering anything useful for any of these case (including (1)(A)
>  and (1)(B)). Finally, we already have some rules in RFC 6125, so
>  validation is within purview of PKIX.

That's specious logic. What you're describing is application trust policy
- "How do we determine X is authorized to say Y?" - and that's dependent
on local trust policies and configurations.

A locally installed trust anchor (which I know you're on record as being
opposed to) could totally determine that they're duly authorized to issue
for *.whatevertheywant, because that's what local policy means.

This isn't academic or theoretical - this is actively in use by
deployments today. No amount of handwringing here will fundamentally
change that.

If there is going to be something to express policy-by-default, and that
policy-by-default isn't expressed via the present Public Suffix List
(which I wouldn't advocate for a second standardizing upon as a MUST; at
best, a MAY), then it will presumably be through the activities of DBOUND.
So yes, waiting for DBOUND, and then waiting to see reception from actual
application software vendors from DBOUND, is an entirely reasonable step.

v2.23.0 | Report a Bug | By Email