Re: [secdir] Security Directorate Review of draft-turner-clearancesponsor-attribute

Kurt Zeilenga <> Wed, 12 August 2009 19:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 77A103A6984; Wed, 12 Aug 2009 12:03:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 69ywOIKBZavi; Wed, 12 Aug 2009 12:03:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 653FB3A6838; Wed, 12 Aug 2009 12:03:21 -0700 (PDT)
Received: from [] ( []) by (submission channel) via TCP with ESMTPSA id <>; Wed, 12 Aug 2009 20:01:45 +0100
Message-Id: <>
From: Kurt Zeilenga <>
To: Sean Turner <>
In-Reply-To: <>
Date: Wed, 12 Aug 2009 12:01:41 -0700
References: <8048.1249937599.500468@puncture> <>
X-Mailer: Apple Mail (2.936)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Cc: Security Area Directorate <>,, The IESG <>
Subject: Re: [secdir] Security Directorate Review of draft-turner-clearancesponsor-attribute
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Aug 2009 19:03:22 -0000

On Aug 12, 2009, at 11:16 AM, Sean Turner wrote:

> Dave,
> Thanks for your review.  Responses inline.
> spt
> Dave Cridland wrote:
>> I have reviewed this document as part of the security directorate's  
>> ongoing effort to review all IETF documents being processed by the  
>> IESG.  These comments were written primarily for the benefit of the  
>> security area directors.  Document editors and WG chairs should  
>> treat these comments just like any other last call comments.
>> (I would note for the record that I roped in Kurt Zeilenga to check  
>> certain issues, but I nevertheless take full credit for any errors).
>> This is a straighforward definition of an attribute suitable for X. 
>> 509 certificates (either public key or attribute) or X.500/LDAP  
>> directory entries which carries the name of the clearance sponsor,  
>> that is, the entity which initiated and maintains the assignment of  
>> the clearance.
>> I note that recent cases where a DirectoryName has been used with X. 
>> 509 for authentication - in particular usage of the CommonName of  
>> the Subject Name - have been subjected to attacks using embedded  
>> NULs. Whilst presumably using the correct equality matching rule  
>> prevents this, it'd be nice to see that called out. (If the  
>> equality matching rule does not prevent this case, that's obviously  
>> more serious).
>> Mandating that NUL is not a valid codepoint in this attribute would  
>> probably be useful, too.
> Good point! I'll add that the DirectoryString MUST NOT be NULL.

DirectoryString is not defined by your I-D but by reference, as is the  
caseIgnoreMatch rule.  The security consideration is applicable to all  
protocols using DirectoryString and caseIgnoreMatch.

I think what you ought to say, in the Security Considerations section  
of this I-D, is something like:

While values of DirectoryString can include the NUL (U+0000) code  
point, values used to represent clearance sponsors typically would  
not.  Implementations of the caseIgnoreMatch rule must, per X.501,  
consider all of the assertion value and attribute value in matching  
and hence protect against truncation attacks.

-- Kurt