Re: [pkix] [lamps] [Technical Errata Reported] RFC5280 (5997)

Russ Housley <housley@vigilsec.com> Tue, 03 March 2020 14:41 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 500933A0CAF for <pkix@ietfa.amsl.com>; Tue, 3 Mar 2020 06:41:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5sCEupgL58aO for <pkix@ietfa.amsl.com>; Tue, 3 Mar 2020 06:41:40 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D67B3A0CA8 for <pkix@ietf.org>; Tue, 3 Mar 2020 06:41:40 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 1F273300B43 for <pkix@ietf.org>; Tue, 3 Mar 2020 09:41:38 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id g77twz8y9Q9O for <pkix@ietf.org>; Tue, 3 Mar 2020 09:41:34 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 45EB8300196; Tue, 3 Mar 2020 09:41:34 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20200303051555.GQ98042@kduck.mit.edu>
Date: Tue, 3 Mar 2020 09:41:35 -0500
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, SPASM <spasm@ietf.org>, IETF PKIX <pkix@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <40EC4579-6A6A-438A-9E17-DC176D9DDB7E@vigilsec.com>
References: <20200227225404.CA7ADF40714@rfc-editor.org> <CAErg=HEUhTvuhxEv91C8GQZd01XiPByfaqjcvRmgJ00+C2QNRw@mail.gmail.com> <48F9976F-C087-4695-BA63-8DAA730A4906@vigilsec.com> <CAErg=HEAPkYXudf_p9oES5yh+T-5_DxpViuw-JCpeqx-8fNKOw@mail.gmail.com> <20200303051555.GQ98042@kduck.mit.edu>
To: Ben Kaduk <kaduk@MIT.EDU>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/jj86siwTzvKVec-gA2wA-qTYYW4>
Subject: Re: [pkix] [lamps] [Technical Errata Reported] RFC5280 (5997)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 14:41:44 -0000

Ben:

I would like to see the revised text put in the errata, and I think Hold for Doc Update is fine.

Russ


> On Mar 3, 2020, at 12:15 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> 
> That does seem like the right higher-order question, but it seems (to me)
> fairly inevitable that this errata report must be classified as "hold for
> document update" to give the WG a chance to make a definitive decision, as
> the original intent remains unclear.
> 
> -Ben
> 
> On Fri, Feb 28, 2020 at 01:52:07PM -0500, Ryan Sleevi wrote:
>> Thanks. You're absolutely right, that was an oversight on my part.
>> 
>> I think the higher-order question is what the syntax is "meant" to be, as
>> the use of an illustrative example alone has lead to confusion. Even if a
>> future revision retroactively 'blesses' ".example.com" as an ambiguity
>> within 5280, the semantics of that are also ambiguous.
>> 
>> On Fri, Feb 28, 2020 at 1:39 PM Russ Housley <housley@vigilsec.com> wrote:
>> 
>>> Ryan:
>>> 
>>> I see the point you are trying to make, but the exact substitution that
>>> you propose breaks the sentence that follows.
>>> 
>>> OLD
>>> 
>>>   DNS name restrictions are expressed as host.example.com.  Any DNS
>>>   name that can be constructed by simply adding zero or more labels to
>>>   the left-hand side of the name satisfies the name constraint.  For
>>>   example, www.host.example.com would satisfy the constraint but
>>>   host1.example.com would not.
>>> 
>>> NEW
>>> 
>>>   For DNS names, restrictions MUST use the dNSName syntax in
>>>   Section 4.2.1.6.  Any DNS name that can be constructed by simply
>>>   adding zero or more labels to the left-hand side of the name satisfies
>>>   the name constraint.  For example, if the constraint contains
>>>   host.example.com, then www.host.example.com would satisfy the
>>>   constraint but host1.example.com would not.
>>> 
>>> On Feb 28, 2020, at 1:03 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
>>> 
>>> I've heard word that this may not have gone out to the PKIX list, but I
>>> did want to pass this along with LAMPS.
>>> 
>>> As both the current syntax and semantics are ambiguous, judging by
>>> implementation behaviour, I'm totally appreciative that the suggested
>>> change might be rejected or might be held for a hypothetical document
>>> update in the future.
>>> 
>>> However, I did want to bring to broader attention and document the fact
>>> that the ambiguity has lead to different levels of guarantees. It was
>>> recently pointed out to me that Apple adopted the "URI-like" syntax, as
>>> discussed at
>>> https://cabforum.org/pipermail/servercert-wg/2020-February/001676.html ,
>>> while as mentioned in the Errata, Go and OpenSSL seem to have adopted the
>>> "PEBKAC" syntax of assuming it's an encoding error.
>>> 
>>> Within the Web PKI, tools like Amazon's certlint treats this as an error,
>>> while tools like ZLint inherit Golang's permissiveness. As a consequence,
>>> unless the CA applies both checks (which is strongly recommended, due to
>>> certlint attempting to compile the ASN.1 modules to offer stricter
>>> validation), it's possible that such certificates might continue to
>>> proliferate. As discussed within the linked Golang issue, there's
>>> unfortunately a number of documentation examples that use the leading
>>> period example, and so RFC 5280 CAs that don't participate exclusively in
>>> the Web PKI are even more at risk of the varying interpretations.
>>> 
>>> ---------- Forwarded message ---------
>>> From: RFC Errata System <rfc-editor@rfc-editor.org>
>>> Date: Thu, Feb 27, 2020 at 5:54 PM
>>> Subject: [Technical Errata Reported] RFC5280 (5997)
>>> To: <david.cooper@nist.gov>ov>, <stefans@microsoft.com>om>, <
>>> stephen.farrell@cs.tcd.ie>gt;, <sharon.boeyen@entrust.com>om>, <
>>> housley@vigilsec.com>gt;, <wpolk@nist.gov>ov>, <rdd@cert.org>rg>, <kaduk@mit.edu>du>,
>>> <kent@bbn.com>om>, <stefan@aaa-sec.com>
>>> Cc: <ryan-pkix@sleevi.com>om>, <pkix@ietf.org>rg>, <rfc-editor@rfc-editor.org>
>>> 
>>> 
>>> The following errata report has been submitted for RFC5280,
>>> "Internet X.509 Public Key Infrastructure Certificate and Certificate
>>> Revocation List (CRL) Profile".
>>> 
>>> --------------------------------------
>>> You may review the report below and at:
>>> https://www.rfc-editor.org/errata/eid5997
>>> 
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Ryan Sleevi <ryan-pkix@sleevi.com>
>>> 
>>> Section: 4.2.1.10
>>> 
>>> Original Text
>>> -------------
>>> DNS name restrictions are expressed as host.example.com.  Any DNS
>>> name that can be constructed by simply adding zero or more labels to
>>> the left-hand side of the name satisfies the name constraint.
>>> 
>>> Corrected Text
>>> --------------
>>> The syntax of dNSName MUST be as described in Section 4.2.1.6.  Any DNS
>>> name that can be constructed by simply adding zero or more labels to
>>> the left-hand side of the name satisfies the name constraint.
>>> 
>>> Notes
>>> -----
>>> Currently, the syntax for a dNSName nameConstraint is left implicit, and
>>> thus has resulted in ambiguities in encoding and processing that have
>>> resulted in ineroperability issues.
>>> 
>>> One interpretation is that the dNSName nameConstraint must be a valid
>>> "host name" (as discussed in RFC 8499), which is to say must be a
>>> Fully-Qualified Domain Name in the preferred name syntax. This
>>> interpretation is supported by Section 4.2.1.6, which explicitly states
>>> that for the subjectAltName. As 4.2.1.10 does not define an exception to
>>> this (as discussed in Appendix B), the interpretation, along with the
>>> existing example, would conclude that this field uses preferred name
>>> syntax, and that "DNS name" here matches the "host name" interpretation
>>> from RFC 8499
>>> 
>>> A different interpretation is that the dNSName nameConstraint uses the
>>> modified syntax similar to the URI nameConstraint. That is, it explicitly
>>> permits a leading period to indicate that one or more labels preceding is
>>> required in order to satisfy the constraint. This allows subdomains, but
>>> does not allow the base domain to match. While the language for the DNS
>>> name constraint makes it clear that a host name with no preceding period
>>> matches both that host and sub-domains, the existence of a preceding period
>>> would constraint it to only subdomains.
>>> 
>>> Aligning with Section 4.2.1.6 would prohibit the latter interpretation, as
>>> the preferred name syntax does not permit leading periods. Alternatively,
>>> if the latter interpretation is intended, this section would benefit from
>>> making that explicit.
>>> 
>>> This has been a source of interoperability issues, with additional
>>> information and discussion captured at:
>>> - https://github.com/golang/go/issues/16347
>>> - https://rt.openssl.org/Ticket/Display.html?id=3562
>>> 
>>> While "running code" has aligned in being permissive with a leading
>>> period, implementations have gone and seemingly aligned on a third
>>> interpretation:
>>> 
>>> The syntax of a dNSName MUST be as described in Section 4.2.1.6, with the
>>> exception that it MAY contain a leading period. Any DNS name that can be
>>> constructed by simply adding zero or more labels to the left-hand side of
>>> the name, ignoring any leading period, satisfies the name constraint.
>>> 
>>> This seems to support implementations expecting the first interpretation
>>> in the certificates they receive, and seeing leading period as an encoding
>>> mistake, not an explicit desire for the second interpretation.
>>> 
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party
>>> can log in to change the status and edit the report, if necessary.
>>> 
>>> --------------------------------------
>>> RFC5280 (draft-ietf-pkix-rfc3280bis-11)
>>> --------------------------------------
>>> Title               : Internet X.509 Public Key Infrastructure Certificate
>>> and Certificate Revocation List (CRL) Profile
>>> Publication Date    : May 2008
>>> Author(s)           : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R.
>>> Housley, W. Polk
>>> Category            : PROPOSED STANDARD
>>> Source              : Public-Key Infrastructure (X.509)
>>> Area                : Security
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>> _______________________________________________
>>> Spasm mailing list
>>> Spasm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/spasm
>>> 
>>> 
>>> 
> 
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://www.ietf.org/mailman/listinfo/spasm
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm