IETF Logo Mail Archive

Re: [TLS] matching identity, by default

Kyle Hamilton <aerowolf@gmail.com> Fri, 04 December 2009 19:16 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 08FA53A685B for <tls@core3.amsl.com>; Fri, 4 Dec 2009 11:16:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.58
X-Spam-Level:
X-Spam-Status: No, score=-2.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bx1YGkdxlGVx for <tls@core3.amsl.com>; Fri, 4 Dec 2009 11:16:11 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id 1294C3A63EB for <tls@ietf.org>; Fri, 4 Dec 2009 11:16:11 -0800 (PST)
Received: by pwi5 with SMTP id 5so1641915pwi.29 for <tls@ietf.org>; Fri, 04 Dec 2009 11:16:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3ThMPSAAkV6qjJdX4q6wvnl7/ZsYDlgQLXoTJ/o5atQ=; b=VAsHqxUFXmNaO9he2gg+GslTXoMPiB8sP1aZJ4TuU8xPJAw+wn8TJ+RnWy2GWwePbk Bux648FXM+s0q4JmO+/kogky5iD3VBaIjhzdUWNYk71NtZnFmBvTJxqh5P/FP20hkBhQ drMXaqngkEuKZhGeX8hlq+r7vg9/tEsAZ70W8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=OvStU+8mmeCvj5t89/JWglfRpmKCxFTxD9BTVJGnM6W6oiZdp+YwDilHh4H2sr9/3n F32YCxfHuM4jO43U3YRi0rwWZMFePB7QOrUhI2WN52zb3y1kK72E16Y2oRxTyIWbmci7 iatq88cCn3KVf2m+//Gly2loNDBpenYO4PJ2Y=
MIME-Version: 1.0
Received: by 10.143.24.42 with SMTP id b42mr457977wfj.41.1259954159866; Fri, 04 Dec 2009 11:15:59 -0800 (PST)
In-Reply-To: <4B152A4C.9070702@cs.tcd.ie>
References: <C2329F9D-F5EF-4E8B-9EE8-ED246D7B7287@manger.com.au> <4B152A4C.9070702@cs.tcd.ie>
Date: Fri, 04 Dec 2009 11:15:59 -0800
Message-ID: <6b9359640912041115t143fc568pb19048164a0b6ab6@mail.gmail.com>
From: Kyle Hamilton <aerowolf@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org, James Manger <james@manger.com.au>
Subject: Re: [TLS] matching identity, by default
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2009 19:16:12 -0000

PKIX -- as a subset of X.509 -- states that the Subject and Issuer
together describe the identity.  Specifically, the Subject contains
the (unique) moniker for the entity which the certificate has been
issued to.  The Issuer describes which trust anchor to use to verify
the signature.

(Trust anchor management is horrible, and there's been no discussion
of any UI to state that, for example, the "Snake Oil RSA Root" and
"Snake Oil EC Root" are really the same Authority, simply with a
different TA.)

I believe that this specific issue (identity) is out of scope of TLS,
and is within the scope of PKIX.  Specifically, they've already
defined a way to compare identities with certificates, and it
certainly isn't with a bitwise comparison of an expired certificate!
(Hint: the Subject contains several Directory Components, and each of
those should be compared, if you want to verify that the identity
hasn't changed.)

In the alternative, I believe that the bit-wise comparison is worse
than useless, and I believe that the "MAY" should be changed to a very
strong "SHOULD".

-Kyle H

On Tue, Dec 1, 2009 at 6:38 AM, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
>
>
> James Manger wrote:
>> I strongly support the consistent identity check in the Security Considerations section of draft-ietf-tls-renegotiation-01.
>
> Fair enough.
>
>> There may be some niche uses of TLS for which changing an identity during renegotiation makes sense. That is adequately supported by the last paragraph in the Security Considerations: "A TLS library MAY provide a means for the application to allow identity and/or server_name changes across renegotiations...". However, for 99.9...% of TLS uses an identity changing during renegotiation will be totally unexpected by the higher-layer application and can only cause problems.
>
> I'd buy that.
>
>> A few people have argued that the consistent identity check is a separate issue that should not be addressed now. I don't think that is a fair characterisation.
>
> I'm not sure what you mean by "characterisation."
>
> My point was simply that this *is* a different issue from the
> renegotiation bug, that we're fixing that bug in "emergency"
> mode and that we therefore shouldn't change *anything* else
> whilst in that mode.
>
> To give one example - rfc 2712 says how to use kerberos with
> TLS. (I've no idea if that's really in use.) The text in -01
> doesn't say how to handle that, but does have a MUST on
> no-change. That could break something. I don't want to hold
> the bug fix while we figure that out.
>
> I just thinks its safer to do this later with some other draft
> that UPDATEs 5246.
>
> Stephen.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email