Re: [secdir] SECDIR review of draft-ietf-xmpp-address-05.txt
Peter Saint-Andre <stpeter@stpeter.im> Tue, 26 October 2010 22:07 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 32CF43A6897; Tue, 26 Oct 2010 15:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.595
X-Spam-Level:
X-Spam-Status: No, score=-102.595 tagged_above=-999 required=5 tests=[AWL=0.004, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KmDNO9cFeCCF; Tue, 26 Oct 2010 15:07:35 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id A8A4E3A680B; Tue, 26 Oct 2010 15:07:35 -0700 (PDT)
Received: from dhcp-64-101-72-188.cisco.com (dhcp-64-101-72-188.cisco.com [64.101.72.188]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 2021D40D1F; Tue, 26 Oct 2010 16:17:23 -0600 (MDT)
Message-ID: <4CC75191.4010106@stpeter.im>
Date: Tue, 26 Oct 2010 16:09:21 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.11) Gecko/20101013 Thunderbird/3.1.5
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <4CC63810.2030809@bbn.com> <4CC743EE.6090703@stpeter.im> <EB0EE632-EEC3-4A3B-BEDC-FF3E6CD08123@bbn.com>
In-Reply-To: <EB0EE632-EEC3-4A3B-BEDC-FF3E6CD08123@bbn.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040907010308030600020302"
X-Mailman-Approved-At: Tue, 26 Oct 2010 18:28:17 -0700
Cc: draft-ietf-xmpp-address@tools.ietf.org, iesg@ietf.org, XMPP <xmpp@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] SECDIR review of draft-ietf-xmpp-address-05.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2010 22:07:37 -0000
On 10/26/10 3:47 PM, Richard L. Barnes wrote: <snip/> >>> S4.3: It seems like there should be some discussion here about >>> how entities that create JIDs can help mitigate issues of >>> confusability. For example, the existence of confusable >>> characters in the domainpart is mitigated by proper registry >>> policies (which I presume could be incorporated by reference to >>> some IDNA documents). Localparts and resourceparts are not >>> constrained to be domain names, but they are controlled or at >>> least approved by a server, so the server can apply similar >>> policies to these parts. >> >> That said, I think draft-ietf-xmpp-address-06 (you reviewed -05) >> includes some text that might address your concern, to wit: >> >> ### ... ### >> >> Does that help? > > That's exactly what I was looking for! Presumably the same > considerations apply to resourceparts, so perhaps just one more > sentence establishing that equivalence would be in order. See the antepenultimate sentence of this adjusted paragraph: ### 1. Because an XMPP service that allows registration of XMPP user accounts (localparts) plays a role similar to that of a registry for DNS domain names, such a service SHOULD establish a policy about the scripts or blocks of characters it will allow in localparts at the service. Such a policy is likely to be informed by the languages and scripts that are used to write registered account names; in particular, to reduce confusion, the service MAY forbid registration of XMPP localparts that contain characters from more than one script and to restrict registrations to characters drawn from a very small number of scripts (e.g., scripts that are well-understood by the administrators of the service). Such policies are also appropriate for XMPP services that allow temporary or permanent registration of XMPP resourceparts, e.g., during resource binding [XMPP] or upon joining an XMPP-based chat room [XEP-0045]. For related considerations in the context of domain name registration, refer to Section 4.3 of [IDNA-PROTO] and Section 3.2 of [IDNA-RATIONALE]. Note well that methods for enforcing such restrictions are out of scope for this document. ### >>> S4.4.1 P2: The observation that only part of an identifier can be >>> authenticated is a good one to make, but there's one subtlety: >>> The remote server is actually authoritative for the localpart and >>> resourcepart of the JID, so the fact that the remote domain has >>> assigned a particular 'from' address effectively authenticates >>> those fields when the domain is authenticated. It might help to >>> note that end-to-end authentication of XMPP stanzas could help >>> mitigate this risk, since it would require the rogue server to >>> generate false credentials in addition to modifying 'from' >>> addresses. > > Any thoughts on this issue? Sorry, I was going to scroll up to that part of the email before hitting send. :) I suggest the following modified text: ### Address forging is difficult in XMPP systems, given the requirement for sending servers to stamp 'from' addresses and for receiving servers to verify sending domains via server-to-server authentication (see [XMPP]). However, address forging is possible if: o A poorly implemented server ignores the requirement for stamping the 'from' address. This would enable any entity that authenticated with the server to send stanzas from any localpart@domainpart as long as the domainpart matches the sending domain of the server. o An actively malicious server generates stanzas on behalf of any registered account. Therefore, an entity outside the security perimeter of a particular server cannot reliably distinguish between bare JIDs of the form <localpart@domainpart> at that server and thus can authenticate only the domainpart of such JIDs with any level of assurance. This specification does not define methods for discovering or counteracting such poorly implemented or rogue servers. However, the end-to-end authentication or signing of XMPP stanzas could help to mitigate this risk, since it would require the rogue server to generate false credentials in addition to modifying 'from' addresses. ### Hopefully by the time we supersede the address spec, we will have developed a technology for end-to-end signing and encryption of XMPP stanzas, which we can reference from the foregoing paragraph. Peter -- Peter Saint-Andre https://stpeter.im/
- [secdir] SECDIR review of draft-ietf-xmpp-address… Richard L. Barnes
- Re: [secdir] SECDIR review of draft-ietf-xmpp-add… Richard L. Barnes
- Re: [secdir] SECDIR review of draft-ietf-xmpp-add… Richard L. Barnes
- Re: [secdir] SECDIR review of draft-ietf-xmpp-add… Peter Saint-Andre
- Re: [secdir] SECDIR review of draft-ietf-xmpp-add… Peter Saint-Andre