[TLS] A query related to support the hard-failing when subdomain1.example.com tries to front example.com?
Avineshwar Singh <avineshwar@gmail.com> Mon, 29 June 2020 01:57 UTC
Return-Path: <avineshwar@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FBD43A1025 for <tls@ietfa.amsl.com>; Sun, 28 Jun 2020 18:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.838
X-Spam-Level:
X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGgWZpybuMrd for <tls@ietfa.amsl.com>; Sun, 28 Jun 2020 18:57:05 -0700 (PDT)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 579783A1010 for <tls@ietf.org>; Sun, 28 Jun 2020 18:57:05 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id y2so15531035ioy.3 for <tls@ietf.org>; Sun, 28 Jun 2020 18:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=SLbOx0Ap78a+OWlEnO+tgFnKHgmzgz4T70GdoyPvJZ4=; b=WpdQyrXCHgUsScbQ+7eWdLZJfHM9rUHPN8mgumHL2mBtmWKXGbHoNzNEGzPCPqzYWB CkS8ck4ddFBjZTFZqwnoWIDoGu7dBF7OnRJ8kyCVN4I3LPk/dYDUOI5oUcyOxoquLVSU w1F5DwqgobDJLqkt7uYSOZMPjW4a1LNmlCd0EjeU7WARdMp3dIH072v9EtvUcfjvonpR RcIEL8xTFt6zB6wlWNVCPzie1M7iRmdO9Jfg0V+AQc1m3IA9wNj74/YPgKp5Ko+Wj3Uw Qq3faOQ416OYEB5KoXxxt2o4KAQK4tzU9BB9LHv3kAYjQJ20RXdFI6SYKkTth4FSHuJD eExA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=SLbOx0Ap78a+OWlEnO+tgFnKHgmzgz4T70GdoyPvJZ4=; b=ZMpqGOSyQ6nGF7VtSrLClL9v3vjny+jK9YDxRQbBL25ZEVaTgjAWh0GMWgOejDXRd5 Kd56ycB8wOzU79hDnq/Ze13Xi+VHf2w9fORe8X9NuIHvNriVntUtNgDOPuL9RDVrPNfq A7Sos76DKHoyFG5ceBgDBIUq+CjSmz+zE0kvrp/gIss0HBpRGK9lPnLFZ/50Kn8DJy6A Cd5h6nuasvqnnUnrfe940Hmb/xwIftqMJA7eZuUzZmxAAalq0edKN4bdofFsSda4VJ5s Db6uwwRGk3Ge49/EdkJpYB8wu1QJKDdA38EfDxGjjkDEAOQUd7jHOKTO5o5cNAQ0Kpyc goZA==
X-Gm-Message-State: AOAM532F6hykALtVH3YjmF5fXqBjBAw9N+NHcxGqZJpUlSRFsVLZFakZ X/jnTk9f01PFb5Yz8gnLv2g98XxvsLI/ofA3QZU=
X-Google-Smtp-Source: ABdhPJxTWmeol54Mn0YfPp+dGel2VV2nn0T2Sn2Y1dOomoRMT9BP/wK4pqbo3Qc7g/0FCxGzRjlcToVo4tl9tVtW/Do=
X-Received: by 2002:a6b:730a:: with SMTP id e10mr15014790ioh.108.1593395824451; Sun, 28 Jun 2020 18:57:04 -0700 (PDT)
MIME-Version: 1.0
From: Avineshwar Singh <avineshwar@gmail.com>
Date: Sun, 28 Jun 2020 20:56:53 -0500
Message-ID: <CAAjMxWU0JzYcv-h9kzaeDe+kx0FL2_4w0M6X7pOmCkt4TekOMg@mail.gmail.com>
To: draft-ietf-pkix-rfc3280bis@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001a63e105a92f601c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YfYgF0WaDAm0lw_SwswfmkWqQJM>
X-Mailman-Approved-At: Tue, 07 Jul 2020 07:54:08 -0700
Subject: [TLS] A query related to support the hard-failing when subdomain1.example.com tries to front example.com?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 02:00:32 -0000
In the context of TLS, what can be done to detect a MITM by *subdomain1.example.com <http://subdomain1.example.com>* of *example.com <http://example.com>*? Can the TLS checks fail (assuming cname contains wildcard)?. Let's say public key pinning isn't used. I could think of *blacklistedSubjectAlternativeName* such that they serve as an overriding *blacklist of SANs*. This may reinforce: - explicit intent - protection insider compromise/threats - undermine a controlling entities' *theoretical* powers
- [TLS] A query related to support the hard-failing… Avineshwar Singh