IETF Logo Mail Archive

Re: [Uta] Opsdir early review of draft-ietf-uta-rfc6125bis-08

Peter Saint-Andre <stpeter@stpeter.im> Fri, 16 December 2022 22:51 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D00E4C1524D8; Fri, 16 Dec 2022 14:51:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=MYQ2PeHh; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=o0u80qyJ
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gq19QUwyAMje; Fri, 16 Dec 2022 14:51:38 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85B8CC1522BD; Fri, 16 Dec 2022 14:51:14 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 772F85C0066; Fri, 16 Dec 2022 17:51:13 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 16 Dec 2022 17:51:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1671231073; x= 1671317473; bh=URuqDj4mZZl1d5LsRH8sruz/BAmzE0K064AaL32TfP8=; b=M YQ2PeHhIIk51ZfypmtJ1Il5EKpZ3CfJmyhBnY+yqRNgqjW3lBg+E+I5b/1acL7h9 TBhlGdlVMWhvF3sehZ19rLLdiA3rwwpHIZKxbKrmXOHNf84/+sR/NZvh0JzuEcfu 922xrUn2T6rRMM/026LSFUc1xCGNDIiRmc1p8ROZgbTWegNvYe6bYEBMxz0lXaop axPR9ZFH14+kDtSAMt/R0a7TNSV/y4r+0VSIyKCK2TByzXsx8cw1SELNFROqA7Be sGbkIbk8Yuka1ngc4nr61Teg3nqwhxKQtm/0ma2w7Cn94KcUT3jGNSs1BfCOK6OO tJWdNGbr3zzUHE4tqc1Cg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1671231073; x= 1671317473; bh=URuqDj4mZZl1d5LsRH8sruz/BAmzE0K064AaL32TfP8=; b=o 0u80qyJQhdrEKXIAgAtNE0Dutl2nkUnADfxHJMs+EK7I76beaZtSszpOmWJBck+i aM7etMQ3wIjtL4SbJuOe+i2U7gxgn01E+tYWPqf4utdytPgmf02RKceIuc9/oE/z 4qZv6d53gz2Ju/HYdslvJhNEOvROY+UVL8UVX1autRuqqwYEtupa1Yjc/uzZE1OG 6Frowx9KA2QiNZ6qfaGGBowRHAS+G5TT5+dFwvR6yks0lqxq2zHKjy8wwQ1QsaB/ aqX0WM7K0VvqwZ/yNGS4YoQRqAPy9lh53QaKkIV/wAhuT3hN4SrQHbEbwc31AES2 7pw4889Wu35YX1R5e8Tng==
X-ME-Sender: <xms:YPacY4-3tmisnlh1hE18bf9HFP37wi-xdyuzB1NAoVPzSXXNzBBdjQ> <xme:YPacYwu-gEAnvSowwr1RrGJ_uQWYdI8pQm6yVUZEHUZpQlFr5P1pbeKzYNNmd-y2m XSltLzS90dDEbxocg>
X-ME-Received: <xmr:YPacY-AkE9UB68QhOa_nj34Ab2Tue3HOtdiPXtlUhND8nLY36iIoAbr_K43LoOcr>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekgddtvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfvfevfhfhufgjtgfgsehtke ertddtfeejnecuhfhrohhmpefrvghtvghrucfurghinhhtqdetnhgurhgvuceoshhtphgv thgvrhesshhtphgvthgvrhdrihhmqeenucggtffrrghtthgvrhhnpedvhfduveefkeegff elkefhveeufeeiffeffeetkeduleekjefffeegieetueeikeenucffohhmrghinhepghhi thhhuhgsrdgtohhmpdgvgigrmhhplhgvrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepshhtphgvthgvrhesshhtphgvthgvrhdrihhm
X-ME-Proxy: <xmx:YPacY4dfq28iupTmBmuxdIE_fFSY663TV_avtWvQNG9GcGdbvBOMXw> <xmx:YPacY9O6guKrc2087vtFCP9BPydPLuGVDjDT3vteVK3jmNJtmHeBmw> <xmx:YPacYym67Zo2icapX9EkjojWTql4faztsWJH_qYLzD94RpOj6ASKFA> <xmx:YfacY-rb2eP4SXsE73XDmWQJp-hxbvoinZ6CKzmFMe4gN3_o4Si1uQ>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 16 Dec 2022 17:51:11 -0500 (EST)
Message-ID: <694d315e-8327-d1ce-7ffb-7ed215a3c476@stpeter.im>
Date: Fri, 16 Dec 2022 15:51:10 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.5.1
Content-Language: en-US
To: Qin Wu <bill.wu@huawei.com>, ops-dir@ietf.org
Cc: draft-ietf-uta-rfc6125bis.all@ietf.org, uta@ietf.org
References: <167118898179.47169.9284386753511380472@ietfa.amsl.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <167118898179.47169.9284386753511380472@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/6XgCEHtj8BnQaHCW-GB76rtyXqE>
Subject: Re: [Uta] Opsdir early review of draft-ietf-uta-rfc6125bis-08
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2022 22:51:42 -0000

Hello and thanks for the early review.

I've provided a few comments inline.

On 12/16/22 4:09 AM, Qin Wu via Datatracker wrote:
> Reviewer: Qin Wu
> Review result: Has Nits
> 
> I have reviewed this document as part of the Operational directorate's ongoing
> effort to review all IETF documents being processed by the IESG. These comments
> were written with the intent of improving the operational aspects of the IETF
> drafts. Comments that are not addressed in last call may be included in AD
> reviews during the IESG review.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> This document specifies procedures for representing and verifying the
> application services identity in TLS interaction with PKI X.509 certificates.
> 
> I believe this document is well written and ready for publication.
> 
> Major issue:
> No
> 
> Minor issues:
> 1.Section 1.2 Applicability
> s/ cetrificate/certificate

Already noted: 
https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/69

> 2. Delegated domain definition
> “ For example, a server at mail.example.net could be a delegated domain for
> connecting to an IMAP server hosting an email address of user@example.net. ” I
> can not parse this sentence, is the server a delegated domain? Which domain is
> the source domain? Which domain is delegated domain ? please make this clear in
> the example.

Yes, this could be clearer. In this case the source domain is 
example.net (i.e., the `domain` portion of the `addr-spec` construct 
defined in RFC 5322).

> 3.Section 2 Identifying Application Service What is meaning
> difference between _direct_ and direct or _indirect_ and indirect? In section
> 2, sometimes _direct_/_indirect_ is used, sometimes direct/indirect is used.

There is no semantic difference between the two - apparently in 6125bis 
we added the underscores to indicate a kind of emphasis, but we did not 
follow that convention in RFC 6125.

> 4.Section 2 said:
> “   We can categorize the three identifier types as follows:
> 
>     *  A DNS-ID is direct and unrestricted.
> 
>     *  An IP-ID is direct and unrestricted.
> 
>     *  An SRV-ID is typically indirect but can be direct, and is
>        restricted.
> 
>     *  A URI-ID is direct and restricted.
> ”
> Three identifier types or four identifier types? My impression is the latter.

There are four - we added IP-ID recently and neglected to update that text.

> 5.Section 2
> s/possibile/possible

Noted.

> 6.Section 3 said:
> “In this case, applications need
>     to be aware that the textual representation of an IPv4 address can
>     appear to be a valid DNS name, though it is not.  ”
> it in the text ‘though it is not’ is referred to digit representation of an
> IPv4 address? Or not?

Because Martin Thomson provided that text, perhaps he can clarify his 
intent.

> 7.Section 7.1
> I am surprised there is no protection measures to mitigate risk of vouching for
> rogue or buggy hosts in this document?

It seems to me that methods for mitigating the attacks described in 
[Defeating-SSL] and [HTTPSbytes] are probably out of scope for this 
document.

The [HTTPSbytes] attack depends on cross-site scripting, and thus I 
think that mitigations should be explained in web-specific 
specifications (e.g., JavaScript, HTML input validation, cookies).

The [Defeating-SSL] attack depends on starting with plaintext HTTP (not 
HTTPS) and of course no certificate checking happens over plaintext 
HTTP. The attack also includes further trickery involving UX differences 
between U-labels and A-labels as well as confusable characters, but in 
Section 6.3 we already specify that domains must be checked as A-labels 
and in Section 7.2 we point to relevant specifications regarding 
internationalized domain names. These matters are notoriously thorny and 
difficult to solve, so it's not clear to me how much more we can say. 
Naturally, suggestions are welcome.

Peter

v2.23.0 | Report a Bug | By Email