IETF Logo Mail Archive

Re: [Uta] FW: [Ntp] Wildcards in NTS certificate checking

Peter Saint-Andre <stpeter@stpeter.im> Mon, 02 May 2022 17:03 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6BEC15E6C0 for <uta@ietfa.amsl.com>; Mon, 2 May 2022 10:03:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.953
X-Spam-Level:
X-Spam-Status: No, score=-3.953 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.857, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=E/d3Mlkh; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=s2kkr8NQ
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xI-1xQRNjgbM for <uta@ietfa.amsl.com>; Mon, 2 May 2022 10:03:08 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4496C14F747 for <uta@ietf.org>; Mon, 2 May 2022 10:03:08 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id EB9BC5C011A; Mon, 2 May 2022 13:03:06 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 02 May 2022 13:03:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1651510986; x= 1651597386; bh=OwGjWCZqO2v91sdCFIr+Bl0Koj4Kq6DIX+gOSx/Ww6s=; b=E /d3MlkhW6e9AF3MzZSkkHbBDh3tJeK7yVh1tjHH3moK22TrHCMX8srsXF6dGNqSU mWP8II6Fwo5+wTmQDPE5Kk0OIhFxoQpBtPndop4Ygyo0sifTt7+gOvD5bgKCW0x2 /y/pGeF7crMqK6RWXdxmsNMG6Am5AcVvZKctPQEvxGlK8KTt+sRGKsAQyOYMqmnH jE0qAHgb+7FRnB0AdT0GsgZZblVytqiGIM3mT8DANZJiCPYOiDf0uQa9rY05C7tb sLRtE5p7FuJu/bPjUSCLuU2pJaikY15WCQMDgrFb1osPp9ITmaXOgEJH2RCetC04 NNVq3EFj/cB1LA1o/+sFA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1651510986; x=1651597386; bh=OwGjWCZqO2v91 sdCFIr+Bl0Koj4Kq6DIX+gOSx/Ww6s=; b=s2kkr8NQPHQneSs+/TnivVdrWY3B9 ioTU6Lz/4GfrJF/+GWuiN1oLEsG1dF/PjGW0lTEwXt0pRpDOX5mdMBA6N2gyKOVK SddPeGIIL2jkS290IkUf+ZG045Ed8c0o0DgVGAEZpC1vf8E8Yg87mcLp8xiCn9UM Ep2/ZuXrdUY9yEp95evI8USnUU/9gx5woCxieRLvS/utkNwbQZOP9CLnHW17cML4 7fcSU9UgpBA1TpztPyxwKppnJD83oTbUZ2+t7Ysd1tV5sM9J2wVQwqFDNLaXEA6h 2y20qTMTKxH/FwcQ8Zfd+4RQM9UClTfyJTtjHBN9ubBI26tp/RwQfl7Kw==
X-ME-Sender: <xms:yg5wYtTWoMfk380JL0DcYP2MZnQpQLKlZGSh6uI0ToNIKg_7H5Gtow> <xme:yg5wYmwM5Kvg6PGGhWczbQv88Q3jJSdo-okWsSPntb-OqwPPAQX7W-QTSiQf2g1Bq x-HuMmFXI29bWn5dA>
X-ME-Received: <xmr:yg5wYi2qMiZu_MyHUtRMuKjHAUwmTM4PxuGp9csZPILVSfiPtWBz-R71ijBw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvdehgddutdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkfffgggfuffvvehfhfgjtgfgsehtkeertddtfeejnecuhfhrohhmpefrvght vghrucfurghinhhtqdetnhgurhgvuceoshhtphgvthgvrhesshhtphgvthgvrhdrihhmqe enucggtffrrghtthgvrhhnpeffledtueeivdduveeitdfgheehvdehkeevteeftefhhfei geetveefieekgeehtdenucffohhmrghinhepghhithhhuhgsrdgtohhmpdgvgigrmhhplh gvrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhho mhepshhtphgvthgvrhesshhtphgvthgvrhdrihhm
X-ME-Proxy: <xmx:yg5wYlBP1vRwUM3720BqZ3VTHfaiT2nCVOpsXLWJjYN5lJlQizFrcw> <xmx:yg5wYmhphYR9K3_yDUWlfvxDz5vnxxZxktEmoqY9gADHwQA8Cb6aDQ> <xmx:yg5wYprtRyb1o2Ncy81pl66Ac1CQ9m9UzjhzO_4YjySppiGupPf2-Q> <xmx:yg5wYps7fYKYQ95NKC3jbc4CAlpPGsLzsEVEPDFdKsCWqwJwXtcwfg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 2 May 2022 13:03:06 -0400 (EDT)
Message-ID: <4515aa37-cb6c-4cb1-2bd2-761e0c71e1f3@stpeter.im>
Date: Mon, 02 May 2022 11:03:05 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.8.1
Content-Language: en-US
To: "Salz, Rich" <rsalz@akamai.com>, "uta@ietf.org" <uta@ietf.org>
Cc: Hal Murray <halmurray@sonic.net>
References: <rsalz@akamai.com> <277EB42F-0583-4FD1-8A92-FA2DAEF691AD@akamai.com> <20220419091212.4342D28C1D8@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <632A9247-A80B-40EC-A260-E349839A33D1@akamai.com> <b44ee132-cedb-6926-3fb9-e78a4fbc5327@stpeter.im> <285FD997-7207-4C9A-98AD-11741963773F@akamai.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <285FD997-7207-4C9A-98AD-11741963773F@akamai.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/NMfgaAg9GB230k4vL6QRzLFNDFs>
Subject: Re: [Uta] FW: [Ntp] Wildcards in NTS certificate checking
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 17:03:13 -0000

On 5/2/22 8:59 AM, Salz, Rich wrote:
> This is now an open issue https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/44

Yep, I'll propose some text.

> On 4/19/22, 7:42 PM, "Peter Saint-Andre" <stpeter@stpeter.im> wrote:
> 
>      On 4/19/22 12:14 PM, Salz, Rich wrote:
>      > A new reader in the NTP working group had some feedback on 6125bis.
>      >
>      >>     The part that I was looking for was an explicit statement that the "SHOULD NOT
>      >      contain the wildcard" has been dropped.  It might help to add something like
>      >      that to the 3rd bullet in section 1.2
>      >
>      > I propose to add one sentence:
>      >
>      > * Wildcard support is now the default.
>      >    Constrain wildcard certificates so that the wildcard can only
>      >    be the complete left-most component of a domain name.
> 
>      +1
> 
>      > Does anyone disagree that support for wildcards is the default state of things?
> 
>      Bowing to deployment reality, I agree.
> 
>      >>     IP Addresses are out of scope.  I'd like to know more, preferably a sentence
>      >      or paragraph but at least a good reference.  It seems like a good way to avoid
>      >      all the security tangles with DNS.
>      >
>      > As the draft is about *names* I am not sure what should be done here.  Any ideas from the WG? It does say
>      > * Identifiers other than FQDNs.
>      >    Identifiers such as IP address are not discussed. In addition, the focus of ...
>      >
>      > Do we need more rationale?
> 
>      Personally I don't see the need for a rationale (e.g., pointing out the
>      percentage of certificates containing IP addresses - IIRC Jeff had some
>      numbers on that when we were working on RFC 6125 and it was 1% or less).
>      If someone wants to write a specification about IP addresses as names in
>      certificates, they are free to do so. In RFC 6125, Jeff and I had to
>      limit the scope or the document would have been even longer.
> 
>      >>     Last paragraph before section 4:  "MUST state" that wildcards are not
>      >      supported.  How does that apply to existing RFCs?  Has that item been added to
>      >      the reviewers checklist?  I think it would clarify things if future RFCs would
>      >      state that wildcards are supported.
>      >
>      > The current draft says that if you don't support wildcards you MUST state so in your documents. Existing RFCs aren't bound by this draft.  Does anyone think this is a problem?
> 
>      Having this apply to future documents that cite 6125bis seems fine to me.
> 
>      >>     Section 6.2, last paragraph, matching DNS name and service type.  It's
>      >      probably obvious, but worth stating.  If I'm trying to find a match for
>      >      www:www.example.com or sip:voice.example.com, will that match a certificate
>      >      for sip:www.example.com?
>      >
>      > Any suggestions on wording to address this? I think the rules in section 4.1 are clear, but any thoughts on how to improve it?
> 
>      Perhaps we should add more examples, specifically to Section 6.4 on
>      application service types. As I understand the situation mentioned by
>      the original poster, sip:www.example.com (with both domain name and
>      application service type) would not result in a match.
> 
>      Peter
>

v2.23.0 | Report a Bug | By Email