Re: [secdir] SECDIR review of draft-ietf-xmpp-address-05.txt
Peter Saint-Andre <stpeter@stpeter.im> Tue, 26 October 2010 22:07 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 32CF43A6897; Tue, 26 Oct 2010 15:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.595
X-Spam-Level:
X-Spam-Status: No, score=-102.595 tagged_above=-999 required=5 tests=[AWL=0.004, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KmDNO9cFeCCF; Tue, 26 Oct 2010 15:07:35 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id A8A4E3A680B; Tue, 26 Oct 2010 15:07:35 -0700 (PDT)
Received: from dhcp-64-101-72-188.cisco.com (dhcp-64-101-72-188.cisco.com [64.101.72.188]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 2021D40D1F; Tue, 26 Oct 2010 16:17:23 -0600 (MDT)
Message-ID: <4CC75191.4010106@stpeter.im>
Date: Tue, 26 Oct 2010 16:09:21 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.11) Gecko/20101013 Thunderbird/3.1.5
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <4CC63810.2030809@bbn.com> <4CC743EE.6090703@stpeter.im> <EB0EE632-EEC3-4A3B-BEDC-FF3E6CD08123@bbn.com>
In-Reply-To: <EB0EE632-EEC3-4A3B-BEDC-FF3E6CD08123@bbn.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040907010308030600020302"
X-Mailman-Approved-At: Tue, 26 Oct 2010 18:28:17 -0700
Cc: draft-ietf-xmpp-address@tools.ietf.org, iesg@ietf.org, XMPP <xmpp@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] SECDIR review of draft-ietf-xmpp-address-05.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2010 22:07:37 -0000
On 10/26/10 3:47 PM, Richard L. Barnes wrote:
<snip/>
>>> S4.3: It seems like there should be some discussion here about
>>> how entities that create JIDs can help mitigate issues of
>>> confusability. For example, the existence of confusable
>>> characters in the domainpart is mitigated by proper registry
>>> policies (which I presume could be incorporated by reference to
>>> some IDNA documents). Localparts and resourceparts are not
>>> constrained to be domain names, but they are controlled or at
>>> least approved by a server, so the server can apply similar
>>> policies to these parts.
>>
>> That said, I think draft-ietf-xmpp-address-06 (you reviewed -05)
>> includes some text that might address your concern, to wit:
>>
>> ### ... ###
>>
>> Does that help?
>
> That's exactly what I was looking for! Presumably the same
> considerations apply to resourceparts, so perhaps just one more
> sentence establishing that equivalence would be in order.
See the antepenultimate sentence of this adjusted paragraph:
###
1. Because an XMPP service that allows registration of XMPP user
accounts (localparts) plays a role similar to that of a registry
for DNS domain names, such a service SHOULD establish a policy
about the scripts or blocks of characters it will allow in
localparts at the service. Such a policy is likely to be
informed by the languages and scripts that are used to write
registered account names; in particular, to reduce confusion, the
service MAY forbid registration of XMPP localparts that contain
characters from more than one script and to restrict
registrations to characters drawn from a very small number of
scripts (e.g., scripts that are well-understood by the
administrators of the service). Such policies are also
appropriate for XMPP services that allow temporary or permanent
registration of XMPP resourceparts, e.g., during resource binding
[XMPP] or upon joining an XMPP-based chat room [XEP-0045]. For
related considerations in the context of domain name
registration, refer to Section 4.3 of [IDNA-PROTO] and Section
3.2 of [IDNA-RATIONALE]. Note well that methods for enforcing
such restrictions are out of scope for this document.
###
>>> S4.4.1 P2: The observation that only part of an identifier can be
>>> authenticated is a good one to make, but there's one subtlety:
>>> The remote server is actually authoritative for the localpart and
>>> resourcepart of the JID, so the fact that the remote domain has
>>> assigned a particular 'from' address effectively authenticates
>>> those fields when the domain is authenticated. It might help to
>>> note that end-to-end authentication of XMPP stanzas could help
>>> mitigate this risk, since it would require the rogue server to
>>> generate false credentials in addition to modifying 'from'
>>> addresses.
>
> Any thoughts on this issue?
Sorry, I was going to scroll up to that part of the email before hitting
send. :)
I suggest the following modified text:
###
Address forging is difficult in XMPP systems, given the requirement
for sending servers to stamp 'from' addresses and for receiving
servers to verify sending domains via server-to-server authentication
(see [XMPP]). However, address forging is possible if:
o A poorly implemented server ignores the requirement for stamping
the 'from' address. This would enable any entity that
authenticated with the server to send stanzas from any
localpart@domainpart as long as the domainpart matches the sending
domain of the server.
o An actively malicious server generates stanzas on behalf of any
registered account.
Therefore, an entity outside the security perimeter of a particular
server cannot reliably distinguish between bare JIDs of the form
<localpart@domainpart> at that server and thus can authenticate only
the domainpart of such JIDs with any level of assurance. This
specification does not define methods for discovering or
counteracting such poorly implemented or rogue servers. However, the
end-to-end authentication or signing of XMPP stanzas could help to
mitigate this risk, since it would require the rogue server to
generate false credentials in addition to modifying 'from' addresses.
###
Hopefully by the time we supersede the address spec, we will have
developed a technology for end-to-end signing and encryption of XMPP
stanzas, which we can reference from the foregoing paragraph.
Peter
--
Peter Saint-Andre
https://stpeter.im/
- [secdir] SECDIR review of draft-ietf-xmpp-address… Richard L. Barnes
- Re: [secdir] SECDIR review of draft-ietf-xmpp-add… Richard L. Barnes
- Re: [secdir] SECDIR review of draft-ietf-xmpp-add… Richard L. Barnes
- Re: [secdir] SECDIR review of draft-ietf-xmpp-add… Peter Saint-Andre
- Re: [secdir] SECDIR review of draft-ietf-xmpp-add… Peter Saint-Andre