Re: [secdir] weirds and certificate naming

Sam Hartman <hartmans-ietf@mit.edu> Thu, 15 August 2013 00:05 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C496E21F9ABB for <secdir@ietfa.amsl.com>; Wed, 14 Aug 2013 17:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.574
X-Spam-Level:
X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0WqmYvmzMtIP for <secdir@ietfa.amsl.com>; Wed, 14 Aug 2013 17:05:01 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id ED1C311E81BB for <secdir@ietf.org>; Wed, 14 Aug 2013 17:05:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 596D620280; Wed, 14 Aug 2013 20:03:49 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f87TmoOCyolt; Wed, 14 Aug 2013 20:03:48 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 14 Aug 2013 20:03:48 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 242828052F; Wed, 14 Aug 2013 20:04:58 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Sean Turner <turners@ieca.com>
References: <tslwqo9qyqx.fsf@mit.edu> <520C17FA.6030705@ieca.com>
Date: Wed, 14 Aug 2013 20:04:58 -0400
In-Reply-To: <520C17FA.6030705@ieca.com> (Sean Turner's message of "Wed, 14 Aug 2013 19:51:22 -0400")
Message-ID: <tslk3jnaket.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Sam Hartman <hartmans-ietf@mit.edu>, secdir@ietf.org
Subject: Re: [secdir] weirds and certificate naming
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 00:05:07 -0000

>>>>> "Sean" == Sean Turner <turners@ieca.com>; writes:

    Sean> Sam, It looks like their MTI mechanism is:

    Sean>  To that end, RDAP clients and servers MUST implement the
    Sean> authentication framework specified in "HTTP Authentication:
    Sean> Basic and Digest Access Authentication" [RFC2617].

I don't understand how that helps authenticate the server at all.
This seems horribly broken.

Strongly recommend convincing yourself that the query string typed by
the user is securily mapped to the identity of the right server.