Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09

Marsh Ray <marsh@extendedsubset.com> Thu, 23 September 2010 18:33 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BC083A6943; Thu, 23 Sep 2010 11:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.05
X-Spam-Level:
X-Spam-Status: No, score=-2.05 tagged_above=-999 required=5 tests=[AWL=0.549, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVmtvTvX55eH; Thu, 23 Sep 2010 11:33:31 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 735E43A69D0; Thu, 23 Sep 2010 11:33:31 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OyqcI-00039r-Kp; Thu, 23 Sep 2010 18:33:58 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 7388D601A; Thu, 23 Sep 2010 18:33:56 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18hrXgaUBVAOwL33tya7/0QAtzYvVEk96E=
Message-ID: <4C9B9D92.1060406@extendedsubset.com>
Date: Thu, 23 Sep 2010 13:33:54 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <AANLkTin6qXBOEJheaG8+SU=3k63Ed+3qXvoLHF5_hb6x@mail.gmail.com> <4C9A27D0.7030909@stpeter.im> <17472_1285173298_o8MGYvUB005723_AANLkTinAdE0qVxqUEBNe3ZWCry856bresv+x2Ga7Urju@mail.gmail.com> <86E28295D464B450ECA5B1D5@lysithea.fac.cs.cmu.edu> <20100922183143.GA23200@eltex.net> <4C9A5B13.1040802@extendedsubset.com> <93037048-4609-40F7-BCC0-D635301E4042@bbn.com>
In-Reply-To: <93037048-4609-40F7-BCC0-D635301E4042@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 24 Sep 2010 08:05:27 -0700
Cc: IETF discussion list <ietf@ietf.org>, secdir@ietf.org, Barry Leiba <barryleiba.mailing.lists@gmail.com>, IETF cert-based identity <certid@ietf.org>, tls@ietf.org, ArkanoiD <ark@eltex.net>
Subject: Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 18:33:37 -0000

On 09/23/2010 01:10 PM, Richard L. Barnes wrote:
> There is no black magic here, only the magic of the TLS server_name
> extension. If the client provides server_name=gmail.com, the server
> provides a gmail.com cert, otherwise it defaults to mail.google.com.
>  Your browser is following two secure delegations before it lands at
>  www.google.com (gmail.com -> mail.google.com -> www.google.com).

I'd not even considered SNI.

> My guess based on the anecdotes in the thread is that IE8 doesn't
> support it.

Not IE8, but the pre-Vista Windows I was testing it on that doesn't do
extensions by default.

Which is why I'd not considered that gmail would depend on SNI for
its operation. I'd forgotten that this is Google we were talking about 
and not any other company in the world that would put support for MSIE 
on Windows XP ahead of protocol standards. :-)

> (You should also be more careful about your HTTP emulation! "A client
>  MUST include a Host header field in all HTTP/1.1 request messages
> .")

Yep, that's why I requested HTTP/1.0.

- Marsh