Re: [pkix] Please clarify when and where wildcards should be matched in PKIX certificates
Jeffrey Walton <noloader@gmail.com> Fri, 05 June 2015 07:45 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DD31B2D24 for <pkix@ietfa.amsl.com>; Fri, 5 Jun 2015 00:45:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSmPkVIMcPeh for <pkix@ietfa.amsl.com>; Fri, 5 Jun 2015 00:45:45 -0700 (PDT)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC03D1A90FD for <pkix@ietf.org>; Fri, 5 Jun 2015 00:45:44 -0700 (PDT)
Received: by ieclw1 with SMTP id lw1so52723213iec.3 for <pkix@ietf.org>; Fri, 05 Jun 2015 00:45:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=XLhvjYKEikQ+IxE3oMCv3nMCj4NtIp1Vsc/VqDlHFM8=; b=FnkUJoPqkDbKvUcZ0t4+KDd+L9F74pDw/6Da2cXymJVljS2pWmNM5vgpjqwSyBEcSX SMIlRNn2nHhPHy14sBExmPJZrTy+8xpUyTJvl3caUt3Y8WnLPR5DQDVFZG7qADlc3qc3 fc6S1oOoyI/aHHRTvaEr4DPj/N1iiS4m2TPbG3gqZCQ715BIM0LVZCsGDlYv3FH+opNt hP8Zb8IoN4q2wNmH6BJdaps3oNSKHwALLPKKknxC/4JF/5yRMk+vQ4QL03T822S/vDgZ pDE0gWxdTAskZI5B3l3kHhpLOnvqMN1mUTrRI+ez1w3qHFLnph9RsIAlUK6ZGBGvvu1q tBqg==
MIME-Version: 1.0
X-Received: by 10.107.159.77 with SMTP id i74mr2720630ioe.9.1433490344257; Fri, 05 Jun 2015 00:45:44 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Fri, 5 Jun 2015 00:45:44 -0700 (PDT)
In-Reply-To: <CAH8yC8=_PypmYYW_0XPUS0xFB6vP4N1=RTmzCjdwVnR-05H=hw@mail.gmail.com>
References: <CAH8yC8=_PypmYYW_0XPUS0xFB6vP4N1=RTmzCjdwVnR-05H=hw@mail.gmail.com>
Date: Fri, 05 Jun 2015 03:45:44 -0400
Message-ID: <CAH8yC8kLgbXYZb_-AY3er5EagG5XmUDaQhL7ynRwd+GL2anJeQ@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: PKIX <pkix@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/avwvgun4px0ZaBmj8dHzisZGEw0>
Subject: Re: [pkix] Please clarify when and where wildcards should be matched in PKIX certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2015 07:45:47 -0000
Below is the current language (thanks TS). It clearly allows matching
*.COM if the wildcard is in the leftmost label.
And it may allow match just "*", if that is interpreted as the
leftmost label (but not the center label or rightmost label). Stranger
things have happened....
Jeff
(6.4.3. Checking of Wildcard Certificates)
1. The client SHOULD NOT attempt to match a presented identifier in
which the wildcard character comprises a label other than the
left-most label (e.g., do not match bar.*.example.net).
2. If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
3. The client MAY match a presented identifier in which the wildcard
character is not the only character of the label (e.g.,
baz*.example.net and *baz.example.net and b*z.example.net would
be taken to match baz1.example.net and foobaz.example.net and
buzz.example.net, respectively). However, the client SHOULD NOT
attempt to match a presented identifier where the wildcard
character is embedded within an A-label or U-label [IDNA-DEFS] of
an internationalized domain name [IDNA-PROTO].
On Fri, Jun 5, 2015 at 1:55 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> This issue came up on the DBOUND list.
>
> Relevant RFCs like 5280 and 6125, allow wildcards and don't restrict
> them. Some folks have taken the lack of restriction to allow matching
> of *.COM, *.NET and *.ORG. It seems like a logical leap since there is
> no restriction placed on them (or even '*' or '*.*').
>
> When questioned, they state the RFCs don't prohibit them. See, for
> example, "Overly permissive hostname matching" for Wget and GnuTLS
> (https://lists.gnu.org/archive/html/bug-wget/2014-03/msg00093.html and
> https://lists.gnupg.org/pipermail/gnutls-devel/2014-March/006833.html).
> From the GnuTLS reply:
>
> That's a very interesting point, but I am not sure there is an easy
> fix. GnuTLS follows RFC2818 for hostname verification, and that
> document is pretty clear on the scope of the wildcards. It mentions
> for example: "f*.com matches foo.com". Maybe we can forbid a first
> level wildcard, but is that practice documented somewhere? I don't see
> any IETF documents updating RFC2818.
>
> The list is actually larger than those two projects, and includes
> others, like Ruby, Java, .Net, Cocoa/CocoaTouch and PERL. Its quite an
> impressive list of offenders. Some offenders, like Ruby, have fixed
> their validators
> (https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/).
> Others have not.
>
> In case its not obvious, no one organization or entity controls some
> of the gTLDs, like *.COM, *.NET and *.ORG. It makes no sense to allow
> a match on them in a CN or SAN.
>
> The CA/Browser Forums, Baseline Requirements document does not allow
> them under Section 3.2.2. But the CA/B is a different set of issuing
> policies, and IETF conforming implementations don't use the CA/B.
>
> Please address this issue in the RFCs.
- Re: [pkix] Please clarify when and where wildcard… Jeffrey Walton
- [pkix] Please clarify when and where wildcards sh… Jeffrey Walton
- Re: [pkix] Please clarify when and where wildcard… Tomoyuki Sahara
- Re: [pkix] Please clarify when and where wildcard… Jeffrey Walton
- Re: [pkix] Please clarify when and where wildcard… Tom Ritter
- Re: [pkix] Please clarify when and where wildcard… Mehner, Carl
- Re: [pkix] Please clarify when and where wildcard… Ryan Sleevi
- Re: [pkix] Please clarify when and where wildcard… Ryan Sleevi
- Re: [pkix] Please clarify when and where wildcard… Jeffrey Walton
- Re: [pkix] Please clarify when and where wildcard… Ryan Sleevi
- Re: [pkix] Please clarify when and where wildcard… Jeffrey Walton