Re: [secdir] Security Directorate Review of draft-turner-clearancesponsor-attribute

Sean Turner <> Wed, 12 August 2009 18:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D03B3A69C7 for <>; Wed, 12 Aug 2009 11:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EM1FXNAY-cMQ for <>; Wed, 12 Aug 2009 11:25:02 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id B686C3A67DB for <>; Wed, 12 Aug 2009 11:25:01 -0700 (PDT)
Received: (qmail 66705 invoked from network); 12 Aug 2009 18:17:00 -0000
Received: from unknown (HELO thunderfish.local) (turners@ with plain) by with SMTP; 12 Aug 2009 18:16:59 -0000
X-Yahoo-SMTP: qPTWNAeswBAtDTSn9GKlmmL3C90ke7grn_5n9To-
X-YMail-OSG: TaS.2g8VM1lm9DFFweMt8ZOoe5StoBPzMpfdMalYmNjytwuyQCSepYp6SxRMeCYEUn0rG4yp7jhYLOCCZVavhu4MzIEt601zp_swQqhyXs0a.KZ5Rb670LHxeWwcv5d6gJFGNXNCw7p9UvTQIabKKqfDJL99s5zZPDh5Bg8cyDHlbRUDBJHvfcZXwGHg_QxCe7ZpXRbbh5HvOtPpVkwwZhTXeSMFvxgf614y_01YKAyaMD_Wt0ar33lQ7_ijO8iQkd5Wsh3MhoSazYmnQauktdkE6q7zTrM_6BDdNAEJIy3bbmz42u8guQdyKvZdyw16gjy7
X-Yahoo-Newman-Property: ymail-3
Message-ID: <>
Date: Wed, 12 Aug 2009 14:16:59 -0400
From: Sean Turner <>
User-Agent: Thunderbird (Macintosh/20090605)
MIME-Version: 1.0
To: Dave Cridland <>
References: <8048.1249937599.500468@puncture>
In-Reply-To: <8048.1249937599.500468@puncture>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc:, The IESG <>, Security Area Directorate <>
Subject: Re: [secdir] Security Directorate Review of draft-turner-clearancesponsor-attribute
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Aug 2009 18:25:02 -0000


Thanks for your review.  Responses inline.


Dave Cridland wrote:
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
> (I would note for the record that I roped in Kurt Zeilenga to check 
> certain issues, but I nevertheless take full credit for any errors).
> This is a straighforward definition of an attribute suitable for X.509 
> certificates (either public key or attribute) or X.500/LDAP directory 
> entries which carries the name of the clearance sponsor, that is, the 
> entity which initiated and maintains the assignment of the clearance.
> I note that recent cases where a DirectoryName has been used with X.509 
> for authentication - in particular usage of the CommonName of the 
> Subject Name - have been subjected to attacks using embedded NULs. 
> Whilst presumably using the correct equality matching rule prevents 
> this, it'd be nice to see that called out. (If the equality matching 
> rule does not prevent this case, that's obviously more serious).
> Mandating that NUL is not a valid codepoint in this attribute would 
> probably be useful, too.

Good point! I'll add that the DirectoryString MUST NOT be NULL.

> General notes:
> It's not entirely clear to me why one would want to consider this as 
> part of an authorization check, unless one was attempting to match the 
> name of the sponsor against a list of "known good" sponsors - that is, 
> if a sponsor was subsequently revoked as a whole as being a suitable 
> sponsor, one might want the sponsored clearances to be pulled as well. 
> (It might be useful to note *why* one might want to do this, within the 
> draft).

I'll move the last sentence in the 1st para in the intro to a new 
paragraph and add some examples:

This attribute may be used in authorization decisions.  For example, a 
web server deciding whether to allow a user access could check that the 
clearance sponsor present in the user's certificate is on an "approved" 
list. The web server could also check that the included clearance 
sponsor is on an "approved" list to issue the included clearance.

> However, it occurs to me that this kind of matching might be better done 
> against an OID, such as one from the Enterprise arc, rather than a 
> simple string, which might prove to be subject to human foibles.

Fat fingering is a concern but some people really like "human readable."
I'm certainly hoping that for people that use this there's a check to 
make sure that what they put in the string is only from an allowable list.

> Dave.