IETF Logo Mail Archive

Re: [Uta] Opsdir early review of draft-ietf-uta-rfc6125bis-08

Peter Saint-Andre <stpeter@stpeter.im> Mon, 19 December 2022 00:20 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BD99C14CE36; Sun, 18 Dec 2022 16:20:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=EUEJDaiv; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Qxhoxb9u
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mswg53XGiKwV; Sun, 18 Dec 2022 16:19:59 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68435C14F721; Sun, 18 Dec 2022 16:19:59 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 868EA5C007A; Sun, 18 Dec 2022 19:19:58 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 18 Dec 2022 19:19:58 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1671409198; x= 1671495598; bh=16v/a6oW1VcFwIXg0iI3JUfxhbR1OyuHytQhyBoYH7g=; b=E UEJDaiv9w3RiNe23PHU7xom1riRvW54dVvEMrTcJGNDI81nrij+IjocdhsORhD1A UGl8hs4kyFpLr8Jaz35owTc+PxnFgxqbElc4W9Y6DrmRgCWten2B+2pPjKPQIwq6 i/AWhgyIV+WujeokGyPBBM4K4U7CXvBaX4EnOm7A9bF1ZDaQOn0cpkaQo/VBbx+D OzADy8706PjZA8k3ojpRr/0bk0xBVN1QT4MM8RsQW6xkT93o6fJphf+j2cpOkjka 82o2ogxehD+QxRENDbJgl5kl+bimj61xxkYPhXkM+ZgyM2eyoOWdxuESD4Q7eoEi MuHMWQxq4yrlbKGw1rsxA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1671409198; x= 1671495598; bh=16v/a6oW1VcFwIXg0iI3JUfxhbR1OyuHytQhyBoYH7g=; b=Q xhoxb9uZpMAiQ9xOwtIWCs4HcY9N0JNVBgfUkMpRGblBkUcRKWSPI/2VDuYhDolv 8AcKIlwXZ9O7NcGVoIEqYtPHsIIJY+Mqu4GCW/i9QzEupsA9VvIQSglwk9+D/HS+ 1GlH0HJ4n4Mf11Gb0iKshXJVft8/LqkMeDkZVSMXVkbd9S08Hf1xI6gQrpDh8y+q SX3rHR4z9hjfcw7TVIlBm9Rjduag1R/ruLDWMnklI8LbAz6Z3n1rjTt89vyw2gSC 7Fpk5pWayPLD4evQg3MbrW5G8E90DCmMRyyHW1LAuwsc/EDz7VsehQbeFhvgYFrA uO9E7Tv1ynOXm2BPYE7oA==
X-ME-Sender: <xms:Lq6fYyU4TrmjxJ-8xbfwz56So5lqg_gyavZSO5LzjiMaC1OamjQ2Sg> <xme:Lq6fY-lB0Uye7vFdGnfhnVS7MtEPGt1t_OBORTf7vtvUWZrg5PMhdKIFe37MNtMBK 7MUzo6USdvQ6UVnOg>
X-ME-Received: <xmr:Lq6fY2a-fH76QX3Je3V6LWYsFwohxO03f0m-2QPhW2qO0Ty1jJkwcRs31juUkfDT>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgedvgddulecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfvfevfhfhufgjtgfgsehtke ertddtfeejnecuhfhrohhmpefrvghtvghrucfurghinhhtqdetnhgurhgvuceoshhtphgv thgvrhesshhtphgvthgvrhdrihhmqeenucggtffrrghtthgvrhhnpeejhefftdegleevff etveffkeeivdelgfekueegfeeitdeuieetveekhedtvdetffenucffohhmrghinhepghhi thhhuhgsrdgtohhmpdgvgigrmhhplhgvrdhnvghtpdhhthhtphgrphhplhhitggrthhioh hntghlihgvnhhtshgrnhgushgvrhhvvghrshgtohhulhgurhgvqhhuihhrvghthhgvuhhs vghofhhtlhhsrdhhvghrvgdpohifrghsphdrohhrghenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehsthhpvghtvghrrdhi mh
X-ME-Proxy: <xmx:Lq6fY5UhGC34rBL6sM1DTtWJ_5dvmKqrgFyMI73AeeIQ_7aFsUhEtg> <xmx:Lq6fY8nuEUn2XWwFe_5OaQtUoFLWJFUOvTAfK-K4I5Xpq1Jkv-bKVg> <xmx:Lq6fY-fdXSnBeofBgXiCDhQg1URw6ZSgK7pMweIUa_N4xCNYHFcQig> <xmx:Lq6fY2h59xJ4au_f1UhUFVE0_y-ZbZldF7-7DJRtuLggrn-zsMuU3A>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 18 Dec 2022 19:19:57 -0500 (EST)
Message-ID: <0bf1ccbd-dbb2-6f17-f5a3-445f2a086113@stpeter.im>
Date: Sun, 18 Dec 2022 17:19:56 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.5.1
Content-Language: en-US
To: Qin Wu <bill.wu@huawei.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>
Cc: "draft-ietf-uta-rfc6125bis.all@ietf.org" <draft-ietf-uta-rfc6125bis.all@ietf.org>, "uta@ietf.org" <uta@ietf.org>
References: <fd8b88bcc5d94cd9b33efa2f37b60d68@huawei.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <fd8b88bcc5d94cd9b33efa2f37b60d68@huawei.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/FAPQJfG71D2Chsrak7CJS2bCBuc>
Subject: Re: [Uta] Opsdir early review of draft-ietf-uta-rfc6125bis-08
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2022 00:20:04 -0000

On 12/17/22 6:40 AM, Qin Wu wrote:
> Hi, Peter:
> -----邮件原件-----
> 发件人: Peter Saint-Andre [mailto:stpeter@stpeter.im]
> 发送时间: 2022年12月17日 6:51
> 收件人: Qin Wu <bill.wu@huawei.com>; ops-dir@ietf.org
> 抄送: draft-ietf-uta-rfc6125bis.all@ietf.org; uta@ietf.org
> 主题: Re: Opsdir early review of draft-ietf-uta-rfc6125bis-08
> 
> Hello and thanks for the early review.
> 
> I've provided a few comments inline.
> 
> On 12/16/22 4:09 AM, Qin Wu via Datatracker wrote:
>> Reviewer: Qin Wu
>> Review result: Has Nits
>>
>> I have reviewed this document as part of the Operational directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG. These comments were written with the intent of improving the
>> operational aspects of the IETF drafts. Comments that are not
>> addressed in last call may be included in AD reviews during the IESG
>> review.  Document editors and WG chairs should treat these comments just like any other last call comments.
>>
>> This document specifies procedures for representing and verifying the
>> application services identity in TLS interaction with PKI X.509 certificates.
>>
>> I believe this document is well written and ready for publication.
>>
>> Major issue:
>> No
>>
>> Minor issues:
>> 1.Section 1.2 Applicability
>> s/ cetrificate/certificate
> 
> Already noted:
> https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/69
> [Qin Wu] :Good.
>> 2. Delegated domain definition
>> “ For example, a server at mail.example.net could be a delegated
>> domain for connecting to an IMAP server hosting an email address of
>> user@example.net. ” I can not parse this sentence, is the server a
>> delegated domain? Which domain is the source domain? Which domain is
>> delegated domain ? please make this clear in the example.
> 
> Yes, this could be clearer. In this case the source domain is example.net (i.e., the `domain` portion of the `addr-spec` construct defined in RFC 5322).
> 
> [Qin Wu] Thanks for clarification and taking my suggestion. It adds clarity now.

Great. We will improve that text in the next version:

https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/72

>> 3.Section 2 Identifying Application Service What is meaning difference
>> between _direct_ and direct or _indirect_ and indirect? In section 2,
>> sometimes _direct_/_indirect_ is used, sometimes direct/indirect is used.
> 
> There is no semantic difference between the two - apparently in 6125bis we added the underscores to indicate a kind of emphasis, but we did not follow that convention in RFC 6125.
> 
> [Qin Wu]Okay,  I leave this minor issues to your authors for jurisdiction, I have no strong opinion on this.

I'll discuss it with my co-author, but I lean toward removing the 
underscores.

>> 4.Section 2 said:
>> “   We can categorize the three identifier types as follows:
>>
>>      *  A DNS-ID is direct and unrestricted.
>>
>>      *  An IP-ID is direct and unrestricted.
>>
>>      *  An SRV-ID is typically indirect but can be direct, and is
>>         restricted.
>>
>>      *  A URI-ID is direct and restricted.
>> ”
>> Three identifier types or four identifier types? My impression is the latter.
> 
> There are four - we added IP-ID recently and neglected to update that text.
> 
> [Qin Wu] Good.

Noted: https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/73

>> 5.Section 2
>> s/possibile/possible
> 
> Noted.
> 
>> 6.Section 3 said:
>> “In this case, applications need
>>      to be aware that the textual representation of an IPv4 address can
>>      appear to be a valid DNS name, though it is not.  ”
>> it in the text ‘though it is not’ is referred to digit representation
>> of an
>> IPv4 address? Or not?
> 
> Because Martin Thomson provided that text, perhaps he can clarify his intent.
> [Qin Wu] Okay, I also forget to note that in the following sentences, it said:
> "
> Note also that by policy, Top-Level Domains ([DNS-TERMS])
>     do not start with a digit (TODO: citation needed).
> "
> I believe "(TODO: citation needed)" needs to be cleaned up with citation added.

Good catch - we will track down the appropriate citation.

>> 7.Section 7.1
>> I am surprised there is no protection measures to mitigate risk of
>> vouching for rogue or buggy hosts in this document?
> 
> It seems to me that methods for mitigating the attacks described in [Defeating-SSL] and [HTTPSbytes] are probably out of scope for this document.
> 
> The [HTTPSbytes] attack depends on cross-site scripting, and thus I think that mitigations should be explained in web-specific specifications (e.g., JavaScript, HTML input validation, cookies).
> 
> The [Defeating-SSL] attack depends on starting with plaintext HTTP (not
> HTTPS) and of course no certificate checking happens over plaintext HTTP. The attack also includes further trickery involving UX differences between U-labels and A-labels as well as confusable characters, but in Section 6.3 we already specify that domains must be checked as A-labels and in Section 7.2 we point to relevant specifications regarding internationalized domain names. These matters are notoriously thorny and difficult to solve, so it's not clear to me how much more we can say.
> Naturally, suggestions are welcome.
> 
> [Qin Wu] Thanks for clarification, it looks to me that attack described in [Defeating-SSL] can be solved in the solution proposed in web specific specification while attack described in [HTTPSbytes] can not be solved or fully solved.
> If that is the case, why we should quote [Defeating-SSL]? Is [Defeating-SSL] really relevant to this document? Do you assume plaintext HTTP can work with TLS? No?

Perhaps some history would be helpful.

When Jeff Hodges and I were working on the document that was eventually 
published as RFC 6125 (this was around 2009 or 2010, before the UTA WG 
was formed), we had a strong desire to remove wildcard certificates 
entirely. However, enough people said "wildcard certificates are 
important" that we were persuaded to leave them in.

Here we are in 2022 and still enough people in the UTA WG said "wildcard 
certificates are important" that we could not gain consensus to remove them.

However, it's also important to note that wildcard certificates can lead 
to various attacks. Although I think it's not the job of *this* 
specification to mitigate those attacks, people should be aware of them.

With that said, we could also make people aware of some of the practical 
mitigations, such as:

1. Don't use wildcard certificates unless absolutely necessary.

2. To help mitigate against the attack described in [Defeating-SSL] 
(which starts with plaintext HTTP), application clients and servers 
could require the use of TLS. Here we could cite §3.2 of RFC 9325.

3. To help mitigate against the attack described in [HTTPSbytes], web 
clients and servers could put in place protections against cross-site 
scripting attacks. Here we could point to the OWASP guidelines at 
https://owasp.org/www-community/attacks/xss/

Do you think that adding some text along these lines would be an 
improvement?

Thanks for pressing on this point.

Peter

v2.23.0 | Report a Bug | By Email