Re: [pkix] [lamps] [Technical Errata Reported] RFC5280 (5997)
Russ Housley <housley@vigilsec.com> Tue, 03 March 2020 14:41 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 500933A0CAF for <pkix@ietfa.amsl.com>; Tue, 3 Mar 2020 06:41:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5sCEupgL58aO for <pkix@ietfa.amsl.com>; Tue, 3 Mar 2020 06:41:40 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D67B3A0CA8 for <pkix@ietf.org>; Tue, 3 Mar 2020 06:41:40 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 1F273300B43 for <pkix@ietf.org>; Tue, 3 Mar 2020 09:41:38 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id g77twz8y9Q9O for <pkix@ietf.org>; Tue, 3 Mar 2020 09:41:34 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 45EB8300196; Tue, 3 Mar 2020 09:41:34 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20200303051555.GQ98042@kduck.mit.edu>
Date: Tue, 03 Mar 2020 09:41:35 -0500
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, SPASM <spasm@ietf.org>, IETF PKIX <pkix@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <40EC4579-6A6A-438A-9E17-DC176D9DDB7E@vigilsec.com>
References: <20200227225404.CA7ADF40714@rfc-editor.org> <CAErg=HEUhTvuhxEv91C8GQZd01XiPByfaqjcvRmgJ00+C2QNRw@mail.gmail.com> <48F9976F-C087-4695-BA63-8DAA730A4906@vigilsec.com> <CAErg=HEAPkYXudf_p9oES5yh+T-5_DxpViuw-JCpeqx-8fNKOw@mail.gmail.com> <20200303051555.GQ98042@kduck.mit.edu>
To: Ben Kaduk <kaduk@MIT.EDU>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/jj86siwTzvKVec-gA2wA-qTYYW4>
Subject: Re: [pkix] [lamps] [Technical Errata Reported] RFC5280 (5997)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 14:41:44 -0000
Ben: I would like to see the revised text put in the errata, and I think Hold for Doc Update is fine. Russ > On Mar 3, 2020, at 12:15 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote: > > That does seem like the right higher-order question, but it seems (to me) > fairly inevitable that this errata report must be classified as "hold for > document update" to give the WG a chance to make a definitive decision, as > the original intent remains unclear. > > -Ben > > On Fri, Feb 28, 2020 at 01:52:07PM -0500, Ryan Sleevi wrote: >> Thanks. You're absolutely right, that was an oversight on my part. >> >> I think the higher-order question is what the syntax is "meant" to be, as >> the use of an illustrative example alone has lead to confusion. Even if a >> future revision retroactively 'blesses' ".example.com" as an ambiguity >> within 5280, the semantics of that are also ambiguous. >> >> On Fri, Feb 28, 2020 at 1:39 PM Russ Housley <housley@vigilsec.com> wrote: >> >>> Ryan: >>> >>> I see the point you are trying to make, but the exact substitution that >>> you propose breaks the sentence that follows. >>> >>> OLD >>> >>> DNS name restrictions are expressed as host.example.com. Any DNS >>> name that can be constructed by simply adding zero or more labels to >>> the left-hand side of the name satisfies the name constraint. For >>> example, www.host.example.com would satisfy the constraint but >>> host1.example.com would not. >>> >>> NEW >>> >>> For DNS names, restrictions MUST use the dNSName syntax in >>> Section 4.2.1.6. Any DNS name that can be constructed by simply >>> adding zero or more labels to the left-hand side of the name satisfies >>> the name constraint. For example, if the constraint contains >>> host.example.com, then www.host.example.com would satisfy the >>> constraint but host1.example.com would not. >>> >>> On Feb 28, 2020, at 1:03 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote: >>> >>> I've heard word that this may not have gone out to the PKIX list, but I >>> did want to pass this along with LAMPS. >>> >>> As both the current syntax and semantics are ambiguous, judging by >>> implementation behaviour, I'm totally appreciative that the suggested >>> change might be rejected or might be held for a hypothetical document >>> update in the future. >>> >>> However, I did want to bring to broader attention and document the fact >>> that the ambiguity has lead to different levels of guarantees. It was >>> recently pointed out to me that Apple adopted the "URI-like" syntax, as >>> discussed at >>> https://cabforum.org/pipermail/servercert-wg/2020-February/001676.html , >>> while as mentioned in the Errata, Go and OpenSSL seem to have adopted the >>> "PEBKAC" syntax of assuming it's an encoding error. >>> >>> Within the Web PKI, tools like Amazon's certlint treats this as an error, >>> while tools like ZLint inherit Golang's permissiveness. As a consequence, >>> unless the CA applies both checks (which is strongly recommended, due to >>> certlint attempting to compile the ASN.1 modules to offer stricter >>> validation), it's possible that such certificates might continue to >>> proliferate. As discussed within the linked Golang issue, there's >>> unfortunately a number of documentation examples that use the leading >>> period example, and so RFC 5280 CAs that don't participate exclusively in >>> the Web PKI are even more at risk of the varying interpretations. >>> >>> ---------- Forwarded message --------- >>> From: RFC Errata System <rfc-editor@rfc-editor.org> >>> Date: Thu, Feb 27, 2020 at 5:54 PM >>> Subject: [Technical Errata Reported] RFC5280 (5997) >>> To: <david.cooper@nist.gov>, <stefans@microsoft.com>, < >>> stephen.farrell@cs.tcd.ie>, <sharon.boeyen@entrust.com>, < >>> housley@vigilsec.com>, <wpolk@nist.gov>, <rdd@cert.org>, <kaduk@mit.edu>, >>> <kent@bbn.com>, <stefan@aaa-sec.com> >>> Cc: <ryan-pkix@sleevi.com>, <pkix@ietf.org>, <rfc-editor@rfc-editor.org> >>> >>> >>> The following errata report has been submitted for RFC5280, >>> "Internet X.509 Public Key Infrastructure Certificate and Certificate >>> Revocation List (CRL) Profile". >>> >>> -------------------------------------- >>> You may review the report below and at: >>> https://www.rfc-editor.org/errata/eid5997 >>> >>> -------------------------------------- >>> Type: Technical >>> Reported by: Ryan Sleevi <ryan-pkix@sleevi.com> >>> >>> Section: 4.2.1.10 >>> >>> Original Text >>> ------------- >>> DNS name restrictions are expressed as host.example.com. Any DNS >>> name that can be constructed by simply adding zero or more labels to >>> the left-hand side of the name satisfies the name constraint. >>> >>> Corrected Text >>> -------------- >>> The syntax of dNSName MUST be as described in Section 4.2.1.6. Any DNS >>> name that can be constructed by simply adding zero or more labels to >>> the left-hand side of the name satisfies the name constraint. >>> >>> Notes >>> ----- >>> Currently, the syntax for a dNSName nameConstraint is left implicit, and >>> thus has resulted in ambiguities in encoding and processing that have >>> resulted in ineroperability issues. >>> >>> One interpretation is that the dNSName nameConstraint must be a valid >>> "host name" (as discussed in RFC 8499), which is to say must be a >>> Fully-Qualified Domain Name in the preferred name syntax. This >>> interpretation is supported by Section 4.2.1.6, which explicitly states >>> that for the subjectAltName. As 4.2.1.10 does not define an exception to >>> this (as discussed in Appendix B), the interpretation, along with the >>> existing example, would conclude that this field uses preferred name >>> syntax, and that "DNS name" here matches the "host name" interpretation >>> from RFC 8499 >>> >>> A different interpretation is that the dNSName nameConstraint uses the >>> modified syntax similar to the URI nameConstraint. That is, it explicitly >>> permits a leading period to indicate that one or more labels preceding is >>> required in order to satisfy the constraint. This allows subdomains, but >>> does not allow the base domain to match. While the language for the DNS >>> name constraint makes it clear that a host name with no preceding period >>> matches both that host and sub-domains, the existence of a preceding period >>> would constraint it to only subdomains. >>> >>> Aligning with Section 4.2.1.6 would prohibit the latter interpretation, as >>> the preferred name syntax does not permit leading periods. Alternatively, >>> if the latter interpretation is intended, this section would benefit from >>> making that explicit. >>> >>> This has been a source of interoperability issues, with additional >>> information and discussion captured at: >>> - https://github.com/golang/go/issues/16347 >>> - https://rt.openssl.org/Ticket/Display.html?id=3562 >>> >>> While "running code" has aligned in being permissive with a leading >>> period, implementations have gone and seemingly aligned on a third >>> interpretation: >>> >>> The syntax of a dNSName MUST be as described in Section 4.2.1.6, with the >>> exception that it MAY contain a leading period. Any DNS name that can be >>> constructed by simply adding zero or more labels to the left-hand side of >>> the name, ignoring any leading period, satisfies the name constraint. >>> >>> This seems to support implementations expecting the first interpretation >>> in the certificates they receive, and seeing leading period as an encoding >>> mistake, not an explicit desire for the second interpretation. >>> >>> Instructions: >>> ------------- >>> This erratum is currently posted as "Reported". If necessary, please >>> use "Reply All" to discuss whether it should be verified or >>> rejected. When a decision is reached, the verifying party >>> can log in to change the status and edit the report, if necessary. >>> >>> -------------------------------------- >>> RFC5280 (draft-ietf-pkix-rfc3280bis-11) >>> -------------------------------------- >>> Title : Internet X.509 Public Key Infrastructure Certificate >>> and Certificate Revocation List (CRL) Profile >>> Publication Date : May 2008 >>> Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. >>> Housley, W. Polk >>> Category : PROPOSED STANDARD >>> Source : Public-Key Infrastructure (X.509) >>> Area : Security >>> Stream : IETF >>> Verifying Party : IESG >>> _______________________________________________ >>> Spasm mailing list >>> Spasm@ietf.org >>> https://www.ietf.org/mailman/listinfo/spasm >>> >>> >>> > >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- Re: [pkix] [lamps] Fwd: [Technical Errata Reporte… Russ Housley
- Re: [pkix] [lamps] Fwd: [Technical Errata Reporte… Ryan Sleevi
- Re: [pkix] [lamps] Fwd: [Technical Errata Reporte… Benjamin Kaduk
- Re: [pkix] [lamps] [Technical Errata Reported] RF… Russ Housley