IETF Logo Mail Archive

Re: [Uta] 6125bis -- security considerations

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 28 September 2021 15:41 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F8B53A329B for <uta@ietfa.amsl.com>; Tue, 28 Sep 2021 08:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Level:
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9r9kRdn--_fN for <uta@ietfa.amsl.com>; Tue, 28 Sep 2021 08:41:34 -0700 (PDT)
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A9873A3219 for <uta@ietf.org>; Tue, 28 Sep 2021 08:41:22 -0700 (PDT)
Received: by mail-pg1-f177.google.com with SMTP id x191so14670540pgd.9 for <uta@ietf.org>; Tue, 28 Sep 2021 08:41:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A7n27z0IULNJwiRBBbmDQXIg/ODkhqBX07RuZ+Nsijw=; b=ha0AN3dyIheH6hiIqpN2RPC05nzoXxrSgKMNwqIZObeuUoBJY6oEiTD0RAIktPFMxD 7KhxzDy1Q/PkV5sCAi1tYyDPW+CnlE/xgERzLlBsp2/hPja8Cx3R6MI3TrnFg9kh4cIm L+1kRBX4chBRFmXtD8mvsudJRjnqNe1/xl5ySuM79gVvYK3igPa13wDB+d0AQOQKahLv sPeOt0W2nlo9GzOY+bc8lM9Lege+SfRVxTOjMtUn4b/GrlMPi8/UW3RtTakYg3C/uvDt HSy0t6z/MRnB11XdXFaoUVViWflp+X1nLtj/ycItaBq3YojVKZZpCPhZl20vNBshmhBj NcIA==
X-Gm-Message-State: AOAM530GGHeOzXbBoDwEghxPdYwU9jckzt1vsNVY9Uv7xDivmq+zU/xX yxcFc44SVPot271jzTc6m9GRQW5Xjh4=
X-Google-Smtp-Source: ABdhPJwgG6YbTrs+KaWr/c5VxTgltG5D6E252rD5l81MGzNlzFAvNg3UuXKHlyahcAOJ6N/5eOjzMQ==
X-Received: by 2002:a62:7543:0:b0:44b:b97a:d0db with SMTP id q64-20020a627543000000b0044bb97ad0dbmr1724547pfc.9.1632843681582; Tue, 28 Sep 2021 08:41:21 -0700 (PDT)
Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com. [209.85.215.180]) by smtp.gmail.com with ESMTPSA id y80sm20713618pfb.196.2021.09.28.08.41.21 for <uta@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Sep 2021 08:41:21 -0700 (PDT)
Received: by mail-pg1-f180.google.com with SMTP id m21so21564931pgu.13 for <uta@ietf.org>; Tue, 28 Sep 2021 08:41:21 -0700 (PDT)
X-Received: by 2002:a63:f4b:: with SMTP id 11mr5294832pgp.189.1632843680492; Tue, 28 Sep 2021 08:41:20 -0700 (PDT)
MIME-Version: 1.0
References: <03D3917B-3719-4466-8739-2066C601E116@akamai.com>
In-Reply-To: <03D3917B-3719-4466-8739-2066C601E116@akamai.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 28 Sep 2021 11:41:09 -0400
X-Gmail-Original-Message-ID: <CAErg=HEbPtHXTtitu3qV4N=S9owaR3q9vFjAU3wwmvLu2cdJYQ@mail.gmail.com>
Message-ID: <CAErg=HEbPtHXTtitu3qV4N=S9owaR3q9vFjAU3wwmvLu2cdJYQ@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: "uta@ietf.org" <uta@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008cb13905cd100b34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/1SR559RZdvxrWeuN-iPGT-35B08>
Subject: Re: [Uta] 6125bis -- security considerations
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2021 15:41:46 -0000

Hey Rich,

I left a comment on GitHub with respect to the question about
"confusables". I'm not sold that the suggestion I made is the best, but I'm
mostly trying to see about aligning terminology to the modern reference and
save a few indirection clicks (from IDNA-DEFS to UTS36 to UTS39).

I'm a little sad any time there is a new dependency on the public suffix
list, even informative :) I realize the point is to say it's out of scope,
and alternative language, such as "wildcard that spans multiple domain
administration boundaries" is as clear as mud and reads like a mouthful of
marbles. My main concern/consideration is that the whole "wildcards and
PSL" is messy (all the more reason to keep it out of scope!), although I
worry folks will read this and think "Oh, this is a hint to use the PSL,
nudge and wink"

With respect to the ALPN dependency, I believe that's meant to be a
normative dependency now, due to the MUST level requirement being
introduced, correct? RFC 7301 is presently listed as an informative
dependency. That said, the MUST here is now an imposition on the client,
rather than the protocol spec, and that seems to create new challenges for
existing protocols. I left a further suggestion on GitHub for a possible
edit, to clarify that the client MUST use ALPN _if_ a protocol ID is
registered. That handles the legacy colocation problem, and reflects the
growing consensus that new protocols should register such an identifier
over TLS. It's just a thought, though, and may not be the best fit.

On Tue, Sep 28, 2021 at 10:20 AM Salz, Rich <rsalz=
40akamai.com@dmarc.ietf.org> wrote:

> I am proposing the following for the security section.  Any comments?  In
> particular, what about the “multiple identifiers” at the last few lines?
> Should that go away now?  If so, that will have ripple effects.  This text
> is currently at
> https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/29
>
>
>
>
>
> # Security Considerations {#security}
>
>
>
> ## Wildcard Certificates {#security-wildcards}
>
>
>
> Wildcard certificates, those that have an identifier with "\*" as the
>
> left-most DNS label, automatically vouch for any single-label host names
>
> within their domain, but not multiple levels of domains.  This can be
>
> convenient for administrators but also poses the risk of vouching for rogue
>
> or buggy hosts. See for example {{Defeating-SSL}} (beginning at slide 91)
> and
>
> {{HTTPSbytes}} (slides 38-40).
>
>
>
> Protection against a wildcard that identifies a public suffix
>
> {{Public-Suffix}}, such as `*.co.uk` or `*.com`, is beyond the scope of
> this
>
> document.
>
>
>
> ## Internationalized Domain Names {#security-idn}
>
>
>
> Allowing internationalized domain names can lead to the inclusion of
> visually
>
> similar, or confusable, characters in certificates.  For discussion, see
> for
>
> example {{IDNA-DEFS}}.
>
>
>
> ## Multiple Identifiers {#security-multi}
>
>
>
> A given application service might be addressed by multiple DNS domain names
>
> for a variety of reasons, and a given deployment might service multiple
>
> domains or protocols.  The client MUST use the TLS Server Name
> Identification
>
> (SNI) extension as discussed in {{TLS, Section 4.4.2.2}}.  If multiple
>
> protocols share the same port, the client MUST use the Application-Layer
>
> Protocol Negotiation as described in {{ALPN}}.
>
>
>
> To accommodate the workaround that was needed before the development
>
> of the SNI extension, this specification allows multiple DNS-IDs,
>
> SRV-IDs, or URI-IDs in a certificate.
>
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>

v2.23.0 | Report a Bug | By Email