IETF Logo Mail Archive

Re: [TLS] RFC 2818 wildcard rationale

Martin Rex <mrex@sap.com> Fri, 04 May 2012 17:51 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2611A21F8570 for <tls@ietfa.amsl.com>; Fri, 4 May 2012 10:51:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.284
X-Spam-Level:
X-Spam-Status: No, score=-4.284 tagged_above=-999 required=5 tests=[AWL=-5.723, BAYES_00=-2.599, HELO_EQ_DE=0.35, MANGLED_OFF=2.3, RCVD_IN_DNSWL_HI=-8, SARE_SPOOF_COM2COM=2.536, SARE_SPOOF_COM2OTH=2.536, SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Snr15k9S2tVt for <tls@ietfa.amsl.com>; Fri, 4 May 2012 10:51:17 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 273CF21F856F for <tls@ietf.org>; Fri, 4 May 2012 10:51:16 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q44HpEWR010655 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 May 2012 19:51:14 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201205041751.q44HpEKf014471@fs4113.wdf.sap.corp>
To: chris@randomnonce.org
Date: Fri, 04 May 2012 19:51:14 +0200
In-Reply-To: <CADKevbD61SfUg8mv86hfVbn90ARCX0Cw7RrLBSPekfvDMK5enw@mail.gmail.com> from "Chris Richardson" at May 4, 12 02:22:00 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] RFC 2818 wildcard rationale
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 17:51:18 -0000

Chris Richardson wrote:
> 
> > Regarding #1, if * matched multiple labels, it would match
> > www.yourbank.com.whatever.example.com, which would be a very bad thing since
> > it can mislead users into thinking that they are visiting
> > "www.yourbank.com".
> 
> Are there any circumstances under which an (individual/organization)
> is authorized to have a certificate for *.example.com, but is not
> authorized to have a certificate for
> www.yourbank.com.whatever.example.com?

That is an "interesting question" (not on DANE's radar so far).

Being authorized (as being the domain owner) does not mean that every
commercial/public CA will issue a TLS server certificate for such a name.

AFAIK, at least some of the CAs will refuse to issue TLS server certs
to owners of domains that could be used for typo-squatting high-profile
sites/domains.

The issue that Yngve mentioned is about the common behaviour of
DNS resolvers to have a "default domain" or "searchlist" which they
use to complete a hostname that does not have a trailing dot before
trying to resolve that name via DNS.


> 
> > Regarding #2, I don't think that would introduce any real badness, except
> > having to edit the rulestring, which make already complex logic more
> > complex, and more likely to fail an unsecure manner (there is also the fact
> > that you can have "f*.example.com", which should not allow #2 to be
> > generated, causing more complexity). However, adding a separate rule for
> > "example.com" in the SAN field is very simple.
> 
> If both (1) and (2) were allowed, that would eliminate the need for
> wildcards which should simplify the logic.
> 
> And out of curiousity, are there any real examples of f*.example.com
> certificates?  Are there any circumstances under which that is a good
> idea?

There is a huge variety of different behaviour in the installed
base with respect to wildcard matching from rfc2818 Section 3.1
server endpoint identification.

Adding more options at this point would only lead to further divergence
of the behaviour (=less predictable) in the installed base,
so I consider it a bad idea.

Limiting the options to what is easy to understand and explain,
and supported by a significant fraction of the installed base,
seems much more reasonable at this point.


-Martin

v2.23.0 | Report a Bug | By Email