[secdir] weirds and certificate naming

Sam Hartman <hartmans-ietf@mit.edu> Mon, 29 July 2013 13:31 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A634A21F9ED4 for <secdir@ietfa.amsl.com>; Mon, 29 Jul 2013 06:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iASvxp6KcoVm for <secdir@ietfa.amsl.com>; Mon, 29 Jul 2013 06:31:07 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id E27CD21F9D4A for <secdir@ietf.org>; Mon, 29 Jul 2013 06:31:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 1F67F201FA for <secdir@ietf.org>; Mon, 29 Jul 2013 09:30:31 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGW7udGBEBxv for <secdir@ietf.org>; Mon, 29 Jul 2013 09:30:30 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (dhcp-4332.meeting.ietf.org [130.129.67.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for <secdir@ietf.org>; Mon, 29 Jul 2013 09:30:30 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id AD0A887FB2; Mon, 29 Jul 2013 09:31:02 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: secdir@ietf.org
Date: Mon, 29 Jul 2013 09:31:02 -0400
Message-ID: <tslwqo9qyqx.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: [secdir] weirds and certificate naming
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2013 13:31:20 -0000

Hi.
To the ADs and especially to the folks who have outstanding weirds
reviews.

Please chase down how a query name entered by a user makes its way into
a URI and how weirds validates the certificate in that URI.
I suspect that there are problems here.
For example, I suspect insecure DNS queries may be used to find parts of
that URI.
Alternatively  even if DNSsec is available, I suspect supporting DNSsec
may not be a MTI for weirds clients.
So, I'm dubious whether weirds will have an interoperable MTI security
mechanism.