IETF Logo Mail Archive

Re: [TLS] Implementation survey: Client Certificate URL extension

<Pasi.Eronen@nokia.com> Fri, 04 April 2008 08:24 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2AD053A6D24; Fri, 4 Apr 2008 01:24:51 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A6B8F3A69E9 for <tls@core3.amsl.com>; Fri, 4 Apr 2008 01:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.873
X-Spam-Level:
X-Spam-Status: No, score=-4.873 tagged_above=-999 required=5 tests=[AWL=1.726, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lEiawp2vKpoj for <tls@core3.amsl.com>; Fri, 4 Apr 2008 01:24:49 -0700 (PDT)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 57CE53A6D02 for <tls@ietf.org>; Fri, 4 Apr 2008 01:24:49 -0700 (PDT)
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m348OYqi007635; Fri, 4 Apr 2008 11:24:52 +0300
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 4 Apr 2008 11:24:30 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 4 Apr 2008 11:24:30 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Fri, 04 Apr 2008 11:24:30 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB7247EFE3@vaebe104.NOE.Nokia.com>
In-Reply-To: <200804031610.m33GAJ6V004192@fs4113.wdf.sap.corp>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Implementation survey: Client Certificate URL extension
thread-index: AciVpVMD+zIFfXfFS5WikbJavKK4TwAhvE1w
References: <1696498986EFEC4D9153717DA325CB7223A82C@vaebe104.NOE.Nokia.com> from "Pasi.Eronen@nokia.com" at Mar 18, 8 01:39:49 pm <200804031610.m33GAJ6V004192@fs4113.wdf.sap.corp>
From: Pasi.Eronen@nokia.com
To: martin.rex@sap.com
X-OriginalArrivalTime: 04 Apr 2008 08:24:30.0447 (UTC) FILETIME=[4DE2E7F0:01C8962D]
X-Nokia-AV: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] Implementation survey: Client Certificate URL extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

This vulnerability of Client Certificate URL is already described in
the Security Considerations text in RFC 4366, so it isn't anything
particularly new.

In the context of web browsing over TLS, it isn't really different
than, say, the ability to include IMG URLs pointing to arbitrary hosts
(not just the one the HTML page came from).

I can see that this could be more of a problem in other contexts:
e.g., email clients don't usually fetch image URLs (since that would
reveal that the address works, when the email was read, approximate
network location of the client, etc.) -- but if they fetch URLs during
S/MIME certification path validation, it would have roughly the same
result.

Best regards,
Pasi

> -----Original Message-----
> From: ext Martin Rex [mailto:Martin.Rex@sap.com] 
> Sent: 03 April, 2008 19:10
> To: Eronen Pasi (Nokia-NRC/Helsinki)
> Cc: tls@ietf.org
> Subject: Re: [TLS] Implementation survey: Client Certificate 
> URL extension
> 
> If you read the news, you probably noticed the following paper
> today or these days:
> 
> https://www.cynops.de/techzone/http_over_x509.html
> 
> Although this Papers describes a serious design flaw in the
> rfc3280 suggestion to put URLs of intermediate CAs into X.509v3
> cert extensions and have peers use them in order to be able
> to build a certification path, the very same problem will
> apply to every concept that a communication peer can be
> coerced to access one or more arbitrary URLs prior to
> authentication, and the Client Certificate URL extension
> appears to suffer the same vulnerabilities and security
> problems.
> 
> -Martin
> 
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email