IETF Logo Mail Archive

Re: Request for new work item - Defining an SRV RR otherName

Sam Hartman <hartmans-ietf@mit.edu> Fri, 20 May 2005 20:20 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11020 for <pkix-archive@lists.ietf.org>; Fri, 20 May 2005 16:20:57 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4KJdY4a046608; Fri, 20 May 2005 12:39:34 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4KJdYfY046607; Fri, 20 May 2005 12:39:34 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (CARTER-ZIMMERMAN.MIT.EDU [18.18.3.197]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4KJdYSk046598 for <ietf-pkix@imc.org>; Fri, 20 May 2005 12:39:34 -0700 (PDT) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id A401FE0063; Fri, 20 May 2005 15:39:14 -0400 (EDT)
To: ietf-pkix@imc.org
Subject: Re: Request for new work item - Defining an SRV RR otherName
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Fri, 20 May 2005 15:39:14 -0400
Message-ID: <tsl1x81offh.fsf@cz.mit.edu>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>



Hi.  I'm speaking as an individual not as an AD.

This proposal was originally introduced as a use of dnsname in the
Kerberos working group for pkinit.

The authors of the proposal would like to name services as they are
identified by users.  For example a user types foo.bar.example.com
into some program.  The program looks up a SRV record for some service
and then connects to that service.  If insecure DNS is used then the
dns lookup should not be part of the name against which a certificate
is checkde.

We're seeing a similar situation in the kitten working group ; see
draft-ietf-kitten-gssapi-domain-based-names-00.txt.


The idea of this proposal is that the certificate contain the name
that the client system would look up in the same form as the client
uses to look in DNS.

I'm not sure how this proposal has evolved since it was first
presented to me.  Originally the goal was so that application
libraries could use some sort of automatic mechanism to:

* Look up SRV records

* Bind to TLS certificates

* Find the Kerberos principal name

* Bind to pkinit certificates.

All the application author would do would be to pass the service
protocol and name into some magic function.

That bothers me.  There is no guarantee that the SRV record tag will
match the GSS/Kerberos principal name.  There is no guarantee that the
service in question doesn't have some better choice for certificate
binding like one of the IMPP-specific solutions.


I'm also not quite sure that SRV tags are real/really the right thing
to be binding to.

If the PKIX working group does adopt this proposal I would recommend
being very careful.  Make sure to scope it only to be used for
applications/services where it is appropriate.  Make sure to discuss
applications that already have a mechanism for binding their
certificates.

It might also be important to find out if there is actually a use case
for this name type before standardizing it.  There wasn't really that
much support in krb-wg for the earlier version of this.

--Sam

v2.23.0 | Report a Bug | By Email