IETF Logo Mail Archive

Re: [TLS] [certid] Fwd: secdir review of draft-saintandre-tls-server-id-check-09

Peter Saint-Andre <stpeter@stpeter.im> Wed, 22 September 2010 17:17 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C87D3A6B00; Wed, 22 Sep 2010 10:17:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.548
X-Spam-Level:
X-Spam-Status: No, score=-102.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PnFYPrjvdQor; Wed, 22 Sep 2010 10:17:25 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 2FD483A6A7F; Wed, 22 Sep 2010 10:17:24 -0700 (PDT)
Received: from moveme.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 5020F40074; Wed, 22 Sep 2010 11:22:43 -0600 (MDT)
Message-ID: <4C9A3A3B.9090908@stpeter.im>
Date: Wed, 22 Sep 2010 11:17:47 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.12) Gecko/20100914 Thunderbird/3.0.8
MIME-Version: 1.0
To: Matt McCutchen <matt@mattmccutchen.net>
References: <4C912A86.3040402@stpeter.im> <58606B11-D4CC-43F4-8971-90D51780A21B@jpl.nasa.gov> <1284608876.5722.56.camel@mattlaptop2.local>
In-Reply-To: <1284608876.5722.56.camel@mattlaptop2.local>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>, IETF cert-based identity <certid@ietf.org>, tls@ietf.org, barryleiba@computer.org, IETF discussion list <ietf@ietf.org>
Subject: Re: [TLS] [certid] Fwd: secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 17:17:26 -0000

On 9/15/10 9:47 PM, Matt McCutchen wrote:
> On Wed, 2010-09-15 at 16:58 -0700, Henry B. Hotz wrote:
>> On Sep 15, 2010, at 1:20 PM, Peter Saint-Andre wrote:
>>
>>> -- Page 22, sec 5.1:
>>>   When the connecting application is an interactive client, the source
>>>   domain name and service type MUST be provided by a human user (e.g.
>>>   when specifying the server portion of the user's account name on the
>>>   server or when explicitly configuring the client to connect to a
>>>   particular host or URI as in [SIP-LOC]) and MUST NOT be derived from
>>>   the user inputs in an automated fashion (e.g., a host name or domain
>>>   name discovered through DNS resolution of the source domain).  This
>>>   rule is important because only a match between the user inputs (in
>>>   the form of a reference identifier) and a presented identifier
>>>   enables the client to be sure that the certificate can legitimately
>>>   be used to secure the connection.
>>>
>>> Does this mean that a client specifically designed for the "gumbo"
>>> service can't automatically use the service type "gumbo", without the
>>> user's involvement?  Or that a client put out by example.net can't
>>> assume a host name of services.example.net in the absence of user
>>> input that says otherwise?
>>>
>>> Further, it's entirely reasonable for a program to have a user enter
>>> something like "gmail", and have the client turn that into something
>>> like "mail.google.com", deriving it from the user's input in an
>>> automated fashion.  Do we really want to forbid that sort of thing?
>>
>>
>> That strikes me as an awfully blase comment for a security review.
>> Whatever process translates the user input into the name that's used
>> to verify the server's id is a critical part of the verification.  If
>> you can subvert the translation, then you can subvert the server ID
>> check, which is the whole point of this draft.
>>
>> I'm not opposed to the idea of name canonicalization, but it has to be
>> done in an authoritative, secure fashion
> 
> Exactly.
> 
>> and that's probably out of scope for this draft.
> 
> Is it?  We may be able to make a useful general statement.  There are
> two issues here:
> 
> 1. "Authoritative": different applications and even users may have
> different ideas of what name canonicalization processes are
> "authoritative", so all we can ask of compliant implementations is to
> document which processes they use.  "Profiles" of server-id-check may
> fill in more details.
> 
> 2. "Secure": given that the point of TLS is to protect against network
> attackers, it makes no sense to use a name canonicalization process that
> is vulnerable to them.  We can say, "Any process by which the source
> domain is derived from user input MUST NOT be subject to subversion by
> network attackers", or some such.

Over a year ago, Alexey Melnikov suggested adding text along those lines
and somehow it got lost during the revision process. We'll add something
to that effect back to the spec. The text that Alexey suggested was
similar to text from RFC 4513, and you can see it in version -02 of
draft-saintandre-tls-server-id-check:

   4.  Before attempting to find a match in relation to a particular
       presented identity, the client MAY map the reference identity to
       a different identity type.  Such a mapping MAY be performed for
       any available subjectAltName type to which the reference identity
       can be mapped; however, the reference identity SHOULD be mapped
       only to types for which the mapping is either inherently secure
       (e.g., extracting the DNS name from a URI to compare with a
       subjectAltName of type dNSName or SRVName) or for which the
       mapping is performed in a secure manner (e.g., using [DNSSEC], or
       using a user-configured or admin-configured lookup table for
       host-to-address or address-to-host translations).

> Tangent: I know we want to avoid implementations that do foolish things
> being claimed as compliant, but IMO, the requirement that input come
> from a "human user" is goofy for a technical specification and in
> practice a non-starter.  A web browser that followed a HTTP redirection
> to a https: URL would violate it.  The web has evolved toward complex
> applications in which all pretense that the user is mediating the
> issuance of HTTP requests has been abandoned, which brings major
> productivity benefits as well as major security implications; ignoring
> this would be a mistake.

Wes Hardaker also raised this issue in his review. Jeff and I agree that
this is an open issue and are working to address it.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email