[TLS] A query related to support the hard-failing when subdomain1.example.com tries to front example.com?
Avineshwar Singh <avineshwar@gmail.com> Mon, 29 June 2020 01:57 UTC
Return-Path: <avineshwar@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 8FBD43A1025
for <tls@ietfa.amsl.com>; Sun, 28 Jun 2020 18:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.838
X-Spam-Level:
X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id PGgWZpybuMrd for <tls@ietfa.amsl.com>;
Sun, 28 Jun 2020 18:57:05 -0700 (PDT)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com
[IPv6:2607:f8b0:4864:20::d42])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 579783A1010
for <tls@ietf.org>; Sun, 28 Jun 2020 18:57:05 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id y2so15531035ioy.3
for <tls@ietf.org>; Sun, 28 Jun 2020 18:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=SLbOx0Ap78a+OWlEnO+tgFnKHgmzgz4T70GdoyPvJZ4=;
b=WpdQyrXCHgUsScbQ+7eWdLZJfHM9rUHPN8mgumHL2mBtmWKXGbHoNzNEGzPCPqzYWB
CkS8ck4ddFBjZTFZqwnoWIDoGu7dBF7OnRJ8kyCVN4I3LPk/dYDUOI5oUcyOxoquLVSU
w1F5DwqgobDJLqkt7uYSOZMPjW4a1LNmlCd0EjeU7WARdMp3dIH072v9EtvUcfjvonpR
RcIEL8xTFt6zB6wlWNVCPzie1M7iRmdO9Jfg0V+AQc1m3IA9wNj74/YPgKp5Ko+Wj3Uw
Qq3faOQ416OYEB5KoXxxt2o4KAQK4tzU9BB9LHv3kAYjQJ20RXdFI6SYKkTth4FSHuJD
eExA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=SLbOx0Ap78a+OWlEnO+tgFnKHgmzgz4T70GdoyPvJZ4=;
b=ZMpqGOSyQ6nGF7VtSrLClL9v3vjny+jK9YDxRQbBL25ZEVaTgjAWh0GMWgOejDXRd5
Kd56ycB8wOzU79hDnq/Ze13Xi+VHf2w9fORe8X9NuIHvNriVntUtNgDOPuL9RDVrPNfq
A7Sos76DKHoyFG5ceBgDBIUq+CjSmz+zE0kvrp/gIss0HBpRGK9lPnLFZ/50Kn8DJy6A
Cd5h6nuasvqnnUnrfe940Hmb/xwIftqMJA7eZuUzZmxAAalq0edKN4bdofFsSda4VJ5s
Db6uwwRGk3Ge49/EdkJpYB8wu1QJKDdA38EfDxGjjkDEAOQUd7jHOKTO5o5cNAQ0Kpyc
goZA==
X-Gm-Message-State: AOAM532F6hykALtVH3YjmF5fXqBjBAw9N+NHcxGqZJpUlSRFsVLZFakZ
X/jnTk9f01PFb5Yz8gnLv2g98XxvsLI/ofA3QZU=
X-Google-Smtp-Source: ABdhPJxTWmeol54Mn0YfPp+dGel2VV2nn0T2Sn2Y1dOomoRMT9BP/wK4pqbo3Qc7g/0FCxGzRjlcToVo4tl9tVtW/Do=
X-Received: by 2002:a6b:730a:: with SMTP id e10mr15014790ioh.108.1593395824451;
Sun, 28 Jun 2020 18:57:04 -0700 (PDT)
MIME-Version: 1.0
From: Avineshwar Singh <avineshwar@gmail.com>
Date: Sun, 28 Jun 2020 20:56:53 -0500
Message-ID: <CAAjMxWU0JzYcv-h9kzaeDe+kx0FL2_4w0M6X7pOmCkt4TekOMg@mail.gmail.com>
To: draft-ietf-pkix-rfc3280bis@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001a63e105a92f601c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YfYgF0WaDAm0lw_SwswfmkWqQJM>
X-Mailman-Approved-At: Tue, 07 Jul 2020 07:54:08 -0700
Subject: [TLS] A query related to support the hard-failing when
subdomain1.example.com tries to front example.com?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 02:00:32 -0000
In the context of TLS, what can be done to detect a MITM by *subdomain1.example.com <http://subdomain1.example.com>* of *example.com <http://example.com>*? Can the TLS checks fail (assuming cname contains wildcard)?. Let's say public key pinning isn't used. I could think of *blacklistedSubjectAlternativeName* such that they serve as an overriding *blacklist of SANs*. This may reinforce: - explicit intent - protection insider compromise/threats - undermine a controlling entities' *theoretical* powers
- [TLS] A query related to support the hard-failing… Avineshwar Singh