IETF Logo Mail Archive

Re: [Uta] wrt draft-ietf-uta-email-tls-certs

=JeffH <Jeff.Hodges@KingsMountain.com> Tue, 09 February 2016 00:15 UTC

Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5DD51B3E12 for <uta@ietfa.amsl.com>; Mon, 8 Feb 2016 16:15:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.56
X-Spam-Level:
X-Spam-Status: No, score=-100.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, LOCALPART_IN_SUBJECT=1.107, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEWq6w360NQl for <uta@ietfa.amsl.com>; Mon, 8 Feb 2016 16:15:52 -0800 (PST)
Received: from gproxy1-pub.mail.unifiedlayer.com (gproxy1-pub.mail.unifiedlayer.com [69.89.25.95]) by ietfa.amsl.com (Postfix) with SMTP id 324771B3E16 for <uta@ietf.org>; Mon, 8 Feb 2016 16:15:52 -0800 (PST)
Received: (qmail 32041 invoked by uid 0); 9 Feb 2016 00:09:12 -0000
Received: from unknown (HELO cmgw3) (10.0.90.84) by gproxy1.mail.unifiedlayer.com with SMTP; 9 Feb 2016 00:09:12 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw3 with id G7961s00h2UhLwi01799oN; Tue, 09 Feb 2016 00:09:09 -0700
X-Authority-Analysis: v=2.1 cv=bej4Do/B c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=XYUc-DgfXtMA:10 a=BbB3o22BIMkA:10 a=jFJIQSaiL_oA:10 a=48vgC7mUAAAA:8 a=A1X0JdhQAAAA:8 a=gODYIiuJ08DRjZYz4e4A:9 a=QEXdDO2ut3YA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Cc:To:Subject:From; bh=+5S+oYu3Xu3b/j17LWQYURT2D6Ng8eoZn64HR3ySd50=; b=LG2XDO9Bulo8+mY0g14rtO2p2FHWJyXJ78r1TtVdpF5OWvdASyngTCs3Grv4bVe3QKaWf9Dq454YKa2VgvkE6NI6WcapbNvFL52RZ3ugSDn7H5iK+sciffUzb/QXc5mK;
Received: from [173.224.162.79] (port=2860 helo=[192.168.86.135]) by box514.bluehost.com with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1aSvrh-0000XJ-64; Mon, 08 Feb 2016 17:09:09 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
To: draft-ietf-uta-email-tls-certs@ietf.org
Message-ID: <56B92E22.4040307@KingsMountain.com>
Date: Mon, 08 Feb 2016 16:09:06 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 173.224.162.79 authed with jeff.hodges+kingsmountain.com}
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/OSNxyCz6ftqNklMoMZe4rF9NvqM>
Cc: uta@ietf.org, uta-chairs@ietf.org, IETF Discussion List <ietf@ietf.org>
Subject: Re: [Uta] wrt draft-ietf-uta-email-tls-certs
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 00:15:53 -0000

Hi Alexey,

 >On 02/02/2016 00:54, =JeffH wrote:
 >>
 >>
 >> I was taking a look at wrt draft-ietf-uta-email-tls-certs and noted that
 >> it says this in Section 3..
 >>
 >>    [...]
 >>                                        Matching is performed according
 >>    to the rules specified in Section 6 of [RFC6125], including the
 >>    relative order of matching of different identifier types,
 >>    "certificate pinning" and the procedure on failure to match.  The
 >>    following inputs are used by the verification procedure used in
 >>    [RFC6125]:
 >>
 >>    [...]
 >>
 >>    The rules and guidelines defined in [RFC6125] apply to an email
 >>    server certificate, with the following supplemental rules:
 >>
 >>    [...various supplemental rules to add to those defined in RFC6125.. ]
 >>
 >>
 >> ..thus I am curious as to why draft-ietf-uta-email-tls-certs does not
 >> officially update RFC6125 -- should it not (in addition to updating four
 >> other RFCs as it notes) ?
 >
 >"Supplemental rules" are inputs to RFC 6125 procedure (such as use of
 >wildcards, use of CN-ID, etc.). I don't think the document updates RFC
 >6125. If you think something better than "supplemental rules" should be
 >used in this context, please let me know.


Hm, here's the relevant portion of section 3 of..

[1] https://tools.ietf.org/html/draft-ietf-uta-email-tls-certs-09#page-4

    The rules and guidelines defined in [RFC6125] apply to an email
    server certificate, with the following supplemental rules:

    1.  Support for the DNS-ID identifier type (subjectAltName of dNSName
       type [RFC5280]) is REQUIRED in Email client software
       implementations.

    2.  Support for the SRV-ID identifier type (subjectAltName of SRVName
       type [RFC4985]) is REQUIRED for email client software
       implementations that support [RFC6186].  List of SRV-ID types for
       email services is specified in [RFC6186].  For the ManageSieve
       protocol the service name "sieve" is used.

    3.  URI-ID identifier type (subjectAltName of
       uniformResourceIdentifier type [RFC5280]) MUST NOT be used by
       clients for server verification, as URI-ID were not historically
       used for email.

    4.  For backward compatibility with deployed software CN-ID
       identifier type (CN attribute from the subject name, see
       [RFC6125]) MAY be used for server identity verification.

    5.  Email protocols allow use of certain wildcards in identifiers
       presented by email servers.  The "*" wildcard character MAY be
       used as the left-most name component of DNS-ID or CN-ID in the
       certificate.  For example, a DNS-ID of *.example.com would match
       a.example.com, foo.example.com, etc. but would not match
       example.com.  Note that the wildcard character MUST NOT be used
       as a fragment of the left-most name component (e.g.,
       *oo.example.com, f*o.example.com, or foo*.example.com).



The above rules #1 through #4 appear to map one-for-one to the four
bulleted rules beginning at the bottom of RFC6125 p-23 (in section 6.2.1)..

[2] http://tools.ietf.org/html/rfc6125#page-23

    Using the combination of fully qualified DNS domain name(s) and
    application service type, the client constructs a list of reference
    identifiers in accordance with the following rules:

    o  The list SHOULD include a DNS-ID.  A reference identifier of type
      DNS-ID can be directly constructed from a fully qualified DNS
      domain name that is (a) contained in or securely derived from the
      inputs (i.e., the source domain), or (b) explicitly associated
      with the source domain by means of user configuration (i.e., a
      derived domain).

    o  If a server for the application service type is typically
      discovered by means of DNS SRV records, then the list SHOULD
      include an SRV-ID.

    o  If a server for the application service type is typically
      associated with a URI for security purposes (i.e., a formal
      protocol document specifies the use of URIs in server
      certificates), then the list SHOULD include a URI-ID.

    o  The list MAY include a CN-ID, mainly for the sake of backward
      compatibility with deployed infrastructure.


I note that the above rules #1 through #3 from [1] are the same overall
rules as the above ones from RFC6125 [2] -- they have just been cast
specifically for the email use case, and they specify "tighter" normative
requirements than done in RFC6125 [2]. E.g., in the rule #1 CN-ID presence
is REQUIRED, whereas in RFC6125 it SHOULD be present. Rule #2 is a
REQUIRED vs. a SHOULD in RFC6125 [2], and rule #3 is a MUST NOT vs a
SHOULD.

Rule #4 is a wash: MAY corresponding to MAY in RFC6125 [2].

Rule #5 appears to map to RFC6125 section "6.4.3  Checking of Wildcard
Certificates"..

[3]  http://tools.ietf.org/html/rfc6125#section-6.4.3

..and profiles the latter in the sense that it (Rule #5) stipulates the
wildcard character MUST NOT be used as a fragment of the left-most name
component, where RFC6125 [3] stipulates a MAY.

This seems to me to be clearly "updating" or "profiling" RFC6125 normative
language, in the specific email use case.


thanks, HTH,

=JeffH

v2.23.0 | Report a Bug | By Email