Re: [TLS] Impact of draft-ietf-mptcp-api on TLS
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 29 November 2012 00:17 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8742421F889F for <tls@ietfa.amsl.com>; Wed, 28 Nov 2012 16:17:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.523
X-Spam-Level:
X-Spam-Status: No, score=-102.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLNiKLbF+mGc for <tls@ietfa.amsl.com>; Wed, 28 Nov 2012 16:17:43 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id AC25221F8893 for <tls@ietf.org>; Wed, 28 Nov 2012 16:17:42 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 12970BE62; Thu, 29 Nov 2012 00:17:20 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3rfbvEzeqzo; Thu, 29 Nov 2012 00:17:13 +0000 (GMT)
Received: from [10.87.48.10] (unknown [86.44.77.127]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id AF999BE5C; Thu, 29 Nov 2012 00:17:13 +0000 (GMT)
Message-ID: <50B6A989.50408@cs.tcd.ie>
Date: Thu, 29 Nov 2012 00:17:13 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: mrex@sap.com
References: <20121129000521.0CF6D1A3BF@ld9781.wdf.sap.corp>
In-Reply-To: <20121129000521.0CF6D1A3BF@ld9781.wdf.sap.corp>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Florian Weimer <fweimer@redhat.com>, Geoffrey Keating <geoffk@geoffk.org>, tls@ietf.org
Subject: Re: [TLS] Impact of draft-ietf-mptcp-api on TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2012 00:17:43 -0000
Hiya, On 11/29/2012 12:05 AM, Martin Rex wrote: >> Geoffrey Keating wrote: >>> >>> Maybe a related example will help: suppose the user is trying to >>> connect to https://198.51.100.3. There is an HTTP proxy configured, >>> so what the browser actually does is make a TCP connection to >>> 192.0.2.99, send 'CONNECT https://198.51.100.3', and then start the >>> SSL negotiation. The certificate still has to mention 198.51.100.3, >>> and doesn't have to mention 192.0.2.99. >>> >>> So, in MPTCP, if the user asks for mphttps://198.51.100.3 (or >>> whatever), then 198.51.100.3 is the address that has to appear in the >>> certificate, even if the connection is redirected to some other >>> endpoint, even if the redirection happens before any data is actually >>> sent on the connection. > > Thanks for the example! > That is what I had in mind (but failed to properly explain). > > > Stephen Farrell wrote: >> >> Right. And I think that ignoring excludedSubtrees that's all >> fine > > HUH? > > With "excludedSubtrees", are you thinking of X.509 Name Constraints > (on IP addresses as subject alt names)? > > There is no such thing as an "excludedSubtrees" return parameter > defined for the PKIX "Basic Path Validation": > > http://tools.ietf.org/html/rfc5280#section-6.1.6 > > 6.1.6. Outputs > > If path processing succeeds, the procedure terminates, returning a > success indication together with final value of the > valid_policy_tree, the working_public_key, the > working_public_key_algorithm, and the working_public_key_parameters. > > > Name Constraints must appear only in CA certificates, Name Constraints > are meaningful and visible exclusively to the internals of the Certificate > Path Validation function, and apply exclusively to Names that are > actually _present_ in subordinate certificates on the path and to the > value of Names _exactly_ as they appear _in_the_certificate_. Ah, you're right there, thanks. Silly me. I think we agree about all the rest. Thanks, S. > > >> >> and the right thing is to say that the TLS implementation >> ought only compare the address of with which it chose to connect >> for a client or the 1st subflow for a server against certs, if >> it needs to bother with that. > > I agree, a note should probably added to very very strongly discourage using > any of the characteristics from the resulting connection for performing > server endpoint identification or a real server authentication. Only > original/trustworthy information ought to be used that existed before > trying to establish the actual network connection with the peer. > > An indirection through a "trusted directory" (secure is not sufficient) > would be OK, such as a trusted local configuration, a lookup in a secure > directory (something that existed in DCE), or e.g. transformation through > a DNSSEC-protected TLSA lookup according to DANE. > > >> >> I'm not sure what to say about excludedSubtrees though. > > If this is about X.509 Name Constraints, then IMO nothing should be said > within mptcp. It is a matter completely internal to PKIX certificate > path validation. > > > -Martin > >
- [TLS] Impact of draft-ietf-mptcp-api on TLS Sean Turner
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Sean Turner
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Martin Rex
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Geoffrey Keating
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Peter Saint-Andre
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Martin Rex
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Geoffrey Keating
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer