IETF Logo Mail Archive

RE: Request for new work item - Defining an SRV RR otherName

Tom Gindin <tgindin@us.ibm.com> Tue, 24 May 2005 04:10 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA29845 for <pkix-archive@lists.ietf.org>; Tue, 24 May 2005 00:10:56 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4O3BvNZ037886; Mon, 23 May 2005 20:11:57 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4O3BvB6037885; Mon, 23 May 2005 20:11:57 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from e3.ny.us.ibm.com (e3.ny.us.ibm.com [32.97.182.143]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4O3BtcV037851 for <ietf-pkix@imc.org>; Mon, 23 May 2005 20:11:56 -0700 (PDT) (envelope-from tgindin@us.ibm.com)
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e3.ny.us.ibm.com (8.12.11/8.12.11) with ESMTP id j4O3Bomr001257 for <ietf-pkix@imc.org>; Mon, 23 May 2005 23:11:50 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay04.pok.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id j4O3Bo2H055824 for <ietf-pkix@imc.org>; Mon, 23 May 2005 23:11:50 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.12.11/8.13.3) with ESMTP id j4O3Bo6F014877 for <ietf-pkix@imc.org>; Mon, 23 May 2005 23:11:50 -0400
Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.56.228.115]) by d01av01.pok.ibm.com (8.12.11/8.12.11) with ESMTP id j4O3BnFw014803; Mon, 23 May 2005 23:11:50 -0400
In-Reply-To: <BF9309599A71984CAC5BAC5ECA629944026B2435@EUR-MSG-11.europe.corp.microsoft.com>
To: Stefan Santesson <stefans@microsoft.com>
Cc: Sam Hartman <hartmans-ietf@mit.edu>, ietf-pkix@imc.org
MIME-Version: 1.0
Subject: RE: Request for new work item - Defining an SRV RR otherName
X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003
From: Tom Gindin <tgindin@us.ibm.com>
Message-ID: <OFF6E57DF8.2F846F07-ON8525700B.000F9A90-8525700B.001171F4@us.ibm.com>
Date: Mon, 23 May 2005 23:10:38 -0400
X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 6.53IBM1 HF14|April 18, 2005) at 05/23/2005 23:11:50, Serialize complete at 05/23/2005 23:11:50
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

        Stefan:

        Maybe I'm being a bit thick here, but do you really intend to 
include the entire RR contents, including the weight, target and port, in 
this otherName?  Or do you intend to include only the lookup key 
(_service._protocol.DNSName) instead?  Some of your wording makes IMHO 
more sense in that case, and the assertion you're conveying is "the CA 
issuer has authorized this entity to provide this service for this 
domain".
        Whatever may be the case for Kerberos, I don't see why this 
feature is problematic for (say) LDAP, except insofar as it's an argument 
for name constraints.  I do think that you'd need to state that the use of 
this field in a certificate is governed by DNSName name constraints.

                Tom Gindin






"Stefan Santesson" <stefans@microsoft.com>
Sent by: owner-ietf-pkix@mail.imc.org
05/20/2005 06:44 PM
 
        To:     "Sam Hartman" <hartmans-ietf@mit.edu>, <ietf-pkix@imc.org>
        cc: 
        Subject:        RE: Request for new work item - Defining an SRV RR 
otherName



Sam,

My recollection of this issue is a bit different from yours.

The central need here is to enable the KDC to express in a certificate
the fact that it is a KDC in a way that male sense to clients.

In a traditional Kerberos environment the KDC can be known as a KDC
since it can demonstrate knowledge of the user's key.

In PKI initiated Kerberos, this property is lost.

If the client knows the host name, IP address or any other identity of
the KDC, which can be mapped to information in the KDC certificate, then
we are good and appropriate binding is possible.

However, from what I have learned, we may face situations where a client
only know the name of the domain it wants to access and the fact that it
looks for a PKINIT enabled KDC. In this case it is assumed that the
client would do a SRV RR query to the DNS to get the host name of the
currently available KDC.

If the SRV RR is NOT the appropriate name to bind to in this case, then
my question is what the alternative is.


Finally, the reason to do this in PKIX is since this in principle is a
generic way of service discovery that may be useful also for other
services where the client only know service name, protocol and domain. I
have indications that it is becoming more and more interesting to
dynamically search for services in this manner for other services but
I'm very interested of other opinions here.

I don't however understand in what way we need to be careful to limit
this only to some specific services. Could you clarify this concern? 

/Stefan


> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]
> On Behalf Of Sam Hartman
> Sent: den 20 maj 2005 12:39
> To: ietf-pkix@imc.org
> Subject: Re: Request for new work item - Defining an SRV RR otherName
> 
> 
> 
> 
> Hi.  I'm speaking as an individual not as an AD.
> 
> This proposal was originally introduced as a use of dnsname in the
> Kerberos working group for pkinit.
> 
> The authors of the proposal would like to name services as they are
> identified by users.  For example a user types foo.bar.example.com
> into some program.  The program looks up a SRV record for some service
> and then connects to that service.  If insecure DNS is used then the
> dns lookup should not be part of the name against which a certificate
> is checkde.
> 
> We're seeing a similar situation in the kitten working group ; see
> draft-ietf-kitten-gssapi-domain-based-names-00.txt.
> 
> 
> The idea of this proposal is that the certificate contain the name
> that the client system would look up in the same form as the client
> uses to look in DNS.
> 
> I'm not sure how this proposal has evolved since it was first
> presented to me.  Originally the goal was so that application
> libraries could use some sort of automatic mechanism to:
> 
> * Look up SRV records
> 
> * Bind to TLS certificates
> 
> * Find the Kerberos principal name
> 
> * Bind to pkinit certificates.
> 
> All the application author would do would be to pass the service
> protocol and name into some magic function.
> 
> That bothers me.  There is no guarantee that the SRV record tag will
> match the GSS/Kerberos principal name.  There is no guarantee that the
> service in question doesn't have some better choice for certificate
> binding like one of the IMPP-specific solutions.
> 
> 
> I'm also not quite sure that SRV tags are real/really the right thing
> to be binding to.
> 
> If the PKIX working group does adopt this proposal I would recommend
> being very careful.  Make sure to scope it only to be used for
> applications/services where it is appropriate.  Make sure to discuss
> applications that already have a mechanism for binding their
> certificates.
> 
> It might also be important to find out if there is actually a use case
> for this name type before standardizing it.  There wasn't really that
> much support in krb-wg for the earlier version of this.
> 
> --Sam

v2.23.0 | Report a Bug | By Email