IETF Logo Mail Archive

[Uta] FW: [Ntp] Wildcards in NTS certificate checking

"Salz, Rich" <rsalz@akamai.com> Tue, 19 April 2022 18:14 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939153A006A for <uta@ietfa.amsl.com>; Tue, 19 Apr 2022 11:14:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BySf8wzni7An for <uta@ietfa.amsl.com>; Tue, 19 Apr 2022 11:14:28 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6391C3A0045 for <uta@ietf.org>; Tue, 19 Apr 2022 11:14:28 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23JGlj8x008875; Tue, 19 Apr 2022 19:14:26 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=NTZPeS7hljnrH99O4DUaK9VMUgjCRob8+7Q1eJLT7dk=; b=lIsljpFTuICN3p/qNStWYfumlp0xWG03phVdD0Gu49XPI6elXB7F+smLNV8HVqH9nY6x cw3R8gRuqNLIo5q4Z0IS4tWQjMze7M0F7hHjJrll2qiBZGm41YXlky/I66ZiyA0aGF9E gyk2dqm2YSGXQL43rHqweO1JDKRiCEK7RlDlchhleYKFVVXFo7EpSJATx7V0W2EqsHi4 N/6cQYyllpyXh5z5aonBFMGHQUU7nXKsb3r2DWiNuohQgLbTffqwlhKbx7y1Lci5Tw33 96lULaDx3rk1PDdfL86yN+NsQ4SlOi91ms3rrMshv84fzCZO1MAaxoCc91OrWaXZvwSY Zg==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 3ffpn9k4df-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Apr 2022 19:14:26 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 23JI63ku024711; Tue, 19 Apr 2022 14:14:26 -0400
Received: from email.msg.corp.akamai.com ([172.27.91.23]) by prod-mail-ppoint2.akamai.com with ESMTP id 3ffs4y67qd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Apr 2022 14:14:25 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag4mb5.msg.corp.akamai.com (172.27.91.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.22; Tue, 19 Apr 2022 14:14:25 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 19 Apr 2022 14:14:25 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.033; Tue, 19 Apr 2022 14:14:25 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "uta@ietf.org" <uta@ietf.org>
CC: Hal Murray <halmurray@sonic.net>
Thread-Topic: [Ntp] Wildcards in NTS certificate checking
Thread-Index: AQHYU82Nyiq96q7J2UqxrNSbXdK12Kz3ivsA
Date: Tue, 19 Apr 2022 18:14:23 +0000
Message-ID: <632A9247-A80B-40EC-A260-E349839A33D1@akamai.com>
References: <rsalz@akamai.com> <277EB42F-0583-4FD1-8A92-FA2DAEF691AD@akamai.com> <20220419091212.4342D28C1D8@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20220419091212.4342D28C1D8@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.60.22041000
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <3AF2FC21CCA91842880B97C3F6F507A9@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-19_06:2022-04-15, 2022-04-19 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 spamscore=0 malwarescore=0 mlxscore=0 bulkscore=0 adultscore=0 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204190103
X-Proofpoint-ORIG-GUID: imaa69Yg7hYg41QE1aFUY0bPBKdVaegi
X-Proofpoint-GUID: imaa69Yg7hYg41QE1aFUY0bPBKdVaegi
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-19_06,2022-04-15_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 clxscore=1015 phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204190104
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/FlCbcDzYQ9XNOb_lQzJKkFv2980>
Subject: [Uta] FW: [Ntp] Wildcards in NTS certificate checking
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2022 18:14:33 -0000

A new reader in the NTP working group had some feedback on 6125bis.

>    The part that I was looking for was an explicit statement that the "SHOULD NOT 
    contain the wildcard" has been dropped.  It might help to add something like 
    that to the 3rd bullet in section 1.2

I propose to add one sentence:

* Wildcard support is now the default.
  Constrain wildcard certificates so that the wildcard can only
  be the complete left-most component of a domain name.

Does anyone disagree that support for wildcards is the default state of things?

>    IP Addresses are out of scope.  I'd like to know more, preferably a sentence 
    or paragraph but at least a good reference.  It seems like a good way to avoid 
    all the security tangles with DNS.

As the draft is about *names* I am not sure what should be done here.  Any ideas from the WG? It does say
* Identifiers other than FQDNs.
  Identifiers such as IP address are not discussed. In addition, the focus of ...

Do we need more rationale?

>    Last paragraph before section 4:  "MUST state" that wildcards are not 
    supported.  How does that apply to existing RFCs?  Has that item been added to 
    the reviewers checklist?  I think it would clarify things if future RFCs would 
    state that wildcards are supported.

The current draft says that if you don't support wildcards you MUST state so in your documents. Existing RFCs aren't bound by this draft.  Does anyone think this is a problem?

>    Section 6.2, last paragraph, matching DNS name and service type.  It's 
    probably obvious, but worth stating.  If I'm trying to find a match for 
    www:www.example.com or sip:voice.example.com, will that match a certificate 
    for sip:www.example.com?

Any suggestions on wording to address this? I think the rules in section 4.1 are clear, but any thoughts on how to improve it?

v2.23.0 | Report a Bug | By Email