Re: [secdir] secdir review of draft-saintandre-tls-server-id-check-09
Jeffrey Hutzelman <jhutz@cmu.edu> Wed, 15 September 2010 18:30 UTC
Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C80313A6848; Wed, 15 Sep 2010 11:30:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.557
X-Spam-Level:
X-Spam-Status: No, score=-106.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SR3uBy45WZKl; Wed, 15 Sep 2010 11:30:39 -0700 (PDT)
Received: from smtp01.srv.cs.cmu.edu (SMTP01.SRV.CS.CMU.EDU [128.2.217.196]) by core3.amsl.com (Postfix) with ESMTP id 5670D3A69B4; Wed, 15 Sep 2010 11:30:27 -0700 (PDT)
Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by smtp01.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id o8FIUnIt001518 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 15 Sep 2010 14:30:50 -0400 (EDT)
Date: Wed, 15 Sep 2010 14:30:49 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: barryleiba@computer.org, draft-saintandre-tls-server-id-check.all@tools.ietf.org
Message-ID: <9F71309FD32D5FB6CE831823@minbar.fac.cs.cmu.edu>
In-Reply-To: <28916_1284500522_o8ELg0VD004136_AANLkTin6qXBOEJheaG8+SU=3k63Ed+3qXvoLHF5_hb6x@mail.gmail.com>
References: <28916_1284500522_o8ELg0VD004136_AANLkTin6qXBOEJheaG8+SU=3k63Ed+3qXvoLHF5_hb6x@mail.gmail.com>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.217.196
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2010 18:30:40 -0000
--On Tuesday, September 14, 2010 05:39:40 PM -0400 Barry Leiba <barryleiba.mailing.lists@gmail.com> wrote: > Second, there's a mixture of "natural person" and "human user" in the > document, and my sense is that you mean the same thing by both. If > you do, you should switch to one term (I prefer the latter; "natural > person" sounds odd). If they're meant to be different, you should > make it clear what the difference is. When I hear "natural person", I think "as opposed to corporation". I'm pretty sure that's not what's meant here, and I agree it sounds odd. > -- Page 21, sec 4.6.2: > client MUST verify that the presented certificate matches the cached > certificate and (if it is an interactive client) MUST notify the user > if the certificate has changed since the last time a secure > connection was successfully negotiated (where causes of change > include but are not limited to changes in the DNS domain name, > identifiers, issuer, certification path, and expiration date). > > I worry about this kind of advice. It violates my rule that says, > "Don't ask the user a question that he's not qualified to answer." Of > course, "notify the user" can mean a lot of things, but too many > clients will implement something like this with a popup that will be > meaningless to 99% of the people who use it. In practice, this advice is meaningless, as the described situation cannot happen. This case happens only when "a natural person has permanently accepted the certificate", which implies the presented certificate is the same as the cached certificate. I think what this section is trying to describe is a situation where the user has permanently accepted _some_ certificate for the service in question. In this situation, the presented certificate should be accepted if it matches the cached one, and should not be accepted if it does not. In the latter case, the UI experience will not end up being noticeably different from that of 4.6.3 -- the presented cert can be accepted temporarily, permanently, or not at all, but someone or some policy has to make that decision. However, I think there does need to be a difference in how the user is presented with a mismatched certificate for a service with an existing cached cert as opposed to one without. In a leap-of-faith model, you want to accept a certificate for a previously-unknown service, but reject a wrong certificate for an already-known service. > -- Page 21, sec 4.6.3, last graf: > Instead, the client MUST proceed as follows. > > I like a colon there, instead of the full stop. > > -- Page 21, sec 4.6.3.1, security note: > caution, for example by first encouraging the user to terminate > the connection, forcing the user to view the entire certification > path, and allowing the user to accept the certificate only on a > temporary basis (i.e., for this connection attempt and all > subsequent connection attempts for the life of the application > session). > > Same comment as for 4.6.2. Most users will not understand certificate > problems, and will have no idea what they should do about them. > Always remember the "Barry's mother problem". My mother will *never* > want to see an "entire certification path", let alone appreciate being > "forced" to. In fact, I see two problems with the quoted advice. First, since we're talking about a certificate name mismatch, the rest of the certification chain really isn't relevant. It would be if the problem were a chain that doesn't lead to a suitable trust anchor, but that's not what this document is about. That said, Barry, your mother is not an "advanced user" in the sense intended by this document, and should never even be given the option to accept a certificate that doesn't validate. The second issue is the advice that the user should be allowed to accept a certificate with a mismatched name only on a temporary basis. This is almost certain to be the wrong thing to do; if a name mismatch is acceptable, it's also not likely to change anytime soon, and requiring the user to accept the certificate again in a later session just because the client has restarted is just annoying with no security benefit. If we were talking about path validation rather than server naming, I'd point out that accepting a certificate only temporarily doesn't give you the benefit of being able to detect future changes, and so actually _reduces_ security. With names, this isn't a big deal, as it's relatively easy to decide whether foo.bank.com and foo.attacker.org are the same or not (well, unless the bank and attacker have the same name). > -- Page 22, sec 5.1: > When the connecting application is an interactive client, the source > domain name and service type MUST be provided by a human user (e.g. > when specifying the server portion of the user's account name on the > server or when explicitly configuring the client to connect to a > particular host or URI as in [SIP-LOC]) and MUST NOT be derived from > the user inputs in an automated fashion (e.g., a host name or domain > name discovered through DNS resolution of the source domain). This > rule is important because only a match between the user inputs (in > the form of a reference identifier) and a presented identifier > enables the client to be sure that the certificate can legitimately > be used to secure the connection. > > Does this mean that a client specifically designed for the "gumbo" > service can't automatically use the service type "gumbo", without the > user's involvement? I don't think it does. If a user is running a gumbo client, I think it's implied that he meant to talk to the gumbo service. But if he's running a web browser, the browser should not decide that the user meant to use the gumbo service by the presence of gumbo.example.com (or a corresponding SRV record) in the DNS, any more than it should assume from the presence of an alias www.example.com => gumbo.example.com that gumbo.example.com is an acceptable server name when the user typed www.example.com. > Or that a client put out by example.net can't > assume a host name of services.example.net in the absence of user > input that says otherwise? Again, I think this is fine; the client defines the lack of a user-specified name to mean something specific. What's not fine is to take the name given by the user and apply an insecure translation such as an unprotected DNS lookup. I think the advice in this paragraph is a little over-restrictive. What should be prohibited is not automated rewriting, but automated rewriting based on the use of insecure sources. RFC4120 has the following to say on this subject, as it relates to Kerberos: One can also rely on trusted third parties to make this determination, but only when the data obtained from the third party is suitably integrity-protected while resident on the third-party server and when transmitted. Thus, for example, one should not rely on an unprotected DNS record to map a host alias to the primary name of a server, accepting the primary name as the party that one intends to contact, since an attacker can modify the mapping and impersonate the party. > Further, it's entirely reasonable for a program to have a user enter > something like "gmail", and have the client turn that into something > like "mail.google.com", deriving it from the user's input in an > automated fashion. Not if the client does so by rewriting "gmail" as "www.gmail.com", looking that up in the DNS, and using the target of the resulting alias. Most web browsers already get this right, thankfully. -- Jeff
- Re: [secdir] [TLS] secdir review of draft-saintan… =JeffH
- [secdir] secdir review of draft-saintandre-tls-se… Barry Leiba
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-saintandre-tl… Barry Leiba
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] [TLS] [certid] secdir review of draf… Richard L. Barnes
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] [certid] secdir review of draft-sain… ArkanoiD
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] [certid] secdir review of draf… Jeffrey A. Williams
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] secdir review of Martin Rex
- Re: [secdir] [TLS] secdir review of Robert Relyea
- Re: [secdir] [TLS] secdir review of Nicolas Williams