IETF Logo Mail Archive

Re: [regext] Comments to the feedback about epp-over-http

"Thomas Corte (TANGO support)" <Thomas.Corte@knipp.de> Fri, 01 April 2022 12:37 UTC

Return-Path: <Thomas.Corte@knipp.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FF3C3A21B8 for <regext@ietfa.amsl.com>; Fri, 1 Apr 2022 05:37:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ONzDVAHV_rE0 for <regext@ietfa.amsl.com>; Fri, 1 Apr 2022 05:37:11 -0700 (PDT)
Received: from kmx5a.knipp.de (kmx5a.knipp.de [195.253.6.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D9A83A21B3 for <regext@ietf.org>; Fri, 1 Apr 2022 05:37:10 -0700 (PDT)
Received: from hp9000.do.knipp.de (hp9000.do.knipp.de [IPv6:2a01:5b0:0:25::36]) by kmx5a.knipp.de (Postfix) with ESMTP id 4KVKS23F6qz4vDB; Fri, 1 Apr 2022 14:37:05 +0200 (CEST)
Received: from [195.253.2.191] (dhcp191.intra.dtm.knipp.de [195.253.2.191]) by hp9000.do.knipp.de (Postfix) with ESMTP id 5D46D72614; Fri, 1 Apr 2022 14:37:05 +0200 (MESZ)
Message-ID: <1793b1ea-991d-c173-8683-435ed4494f81@knipp.de>
Date: Fri, 1 Apr 2022 14:37:06 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: "regext@ietf.org" <regext@ietf.org>
References: <0843A6FD-79B8-45B9-BE58-0BCED21C19B0@verisign.com> <1b87995b-700b-0d16-1241-c69cf142c3f7@iit.cnr.it> <8346151e-acc1-8e9a-f8ce-ac4d2f6a8dac@knipp.de> <759658bd-4781-a9cb-b7dd-88ba596fe2b0@iit.cnr.it> <460e37b5-3d0c-7139-8c5f-1f87c36c3177@knipp.de> <064b17f1fa5141089a8494edd8791663@verisign.com>
Cc: support@tango-rs.com
From: "Thomas Corte (TANGO support)" <Thomas.Corte@knipp.de>
In-Reply-To: <064b17f1fa5141089a8494edd8791663@verisign.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4KVKS23F6qz4vDB
X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:8391, ipnet:2a01:5b0::/32, country:DE]; LOCAL_WL_IP(0.00)[2a01:5b0:0:25::36]
Authentication-Results: kmx5a.knipp.de; none
X-Rspamd-Pre-Result: action=no action; module=multimap; Matched map: LOCAL_WL_IP
X-Rspamd-Server: v1117
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/jga-I_qjm5b_VBuIyBdY24ue6bc>
Subject: Re: [regext] Comments to the feedback about epp-over-http
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2022 12:37:24 -0000

Hello Scott,

On 3/31/22 19:58, Hollenbeck, Scott wrote:

> [SAH] Client certificates ARE required for TCP transport with TLS. See here:
> 
> https://datatracker.ietf.org/doc/html/rfc5734#section-9
> 
> They're not specifically a requirement for EPP, but they are for that particular transport protocol (which just happens to be the only standard transport protocol).

Interesting, it seems that we overlooked that in our own (TANGO) 
implementation. There, we're currently allowing clients to connect 
without presenting a client certificate, but they *may* send one (which 
isn't checked beyond the CA's trustworthiness).

The thing is that many registries' client certificate checks end with 
doing just that, i.e. clients may present ANY certificate, as long as 
it's not expired and issued by a CA trusted by the registry's server. In 
particular, the common name is usually *not* checked, as no properties of 
the client certificates are "negotiated out of band", as RFC 5734 suggests.
To us, this common practice seemed silly, as anybody can easily get a 
trusted certificate like that, but all that does is adding costs and 
effort for the client, while not adding any security. This is why we made 
the client certificate optional, but as it's obviously an RFC violation, 
we'll need to change that.

Best regards,

Thomas

-- 
TANGO REGISTRY SERVICES® is a product of:
Knipp Medien und Kommunikation GmbH
Technologiepark                             Phone: +49 231 9703-222
Martin-Schmeisser-Weg 9                       Fax: +49 231 9703-200
D-44227 Dortmund                       E-Mail: support@tango-rs.com
Germany

v2.8.7 | Report a Bug | By Email