Re: [Uta] 6125bis -- security considerations
Alexey Melnikov <alexey.melnikov@isode.com> Tue, 28 September 2021 17:06 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 620203A3520 for <uta@ietfa.amsl.com>; Tue, 28 Sep 2021 10:06:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ddNF-J85Hpt2 for <uta@ietfa.amsl.com>; Tue, 28 Sep 2021 10:06:02 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id CC9863A351D for <uta@ietf.org>; Tue, 28 Sep 2021 10:06:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1632848759; d=isode.com; s=june2016; i=@isode.com; bh=lEk8ATDuJlRtDqKLGQ+LfSGjyrLANMauFg7jMf6XQGE=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=QdsECmooy9ewP3qQiAXtwBfollha5LPOXijyKJcdIjTQIS4m5DMR0kFGSMJ9CTvuvevkRd 70v3/USb9/bib2oEQj5AXbrcOU1IScS9lGbcxP+ni1x9qbkXhA5KiM0AJQjrTagpOAqSrr AinLA+Z4YrU+H28bQMXDhmQ23kCh3LU=;
Received: from [192.168.1.222] (host5-81-100-26.range5-81.btcentralplus.com [5.81.100.26]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <YVNLdwAz0hod@statler.isode.com>; Tue, 28 Sep 2021 18:05:59 +0100
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "uta@ietf.org" <uta@ietf.org>
References: <03D3917B-3719-4466-8739-2066C601E116@akamai.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <8a1547a1-a47f-ed17-1b31-b8cd0ff77fff@isode.com>
Date: Tue, 28 Sep 2021 18:05:53 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
In-Reply-To: <03D3917B-3719-4466-8739-2066C601E116@akamai.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------7CF3B9A4FDA80ECC28E9C9DC"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/QS-H20ldOyMfuqsPxJhHo0_XgdY>
Subject: Re: [Uta] 6125bis -- security considerations
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2021 17:06:08 -0000
Hi Rich, On 28/09/2021 15:20, Salz, Rich wrote: > > I am proposing the following for the security section. Any comments? > In particular, what about the “multiple identifiers” at the last few > lines? Should that go away now? If so, that will have ripple > effects. This text is currently at > https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/29 > <https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/29> > > # Security Considerations {#security} > > ## Wildcard Certificates {#security-wildcards} > > Wildcard certificates, those that have an identifier with "\*" as the > > left-most DNS label, automatically vouch for any single-label host names > > within their domain, but not multiple levels of domains. This can be > > convenient for administrators but also poses the risk of vouching for > rogue > > or buggy hosts. See for example {{Defeating-SSL}} (beginning at slide > 91) and > > {{HTTPSbytes}} (slides 38-40). > > Protection against a wildcard that identifies a public suffix > > {{Public-Suffix}}, such as `*.co.uk` or `*.com`, is beyond the scope > of this > > document. > > ## Internationalized Domain Names {#security-idn} > > Allowing internationalized domain names can lead to the inclusion of > visually > > similar, or confusable, characters in certificates. For discussion, > see for > > example {{IDNA-DEFS}}. > > ## Multiple Identifiers {#security-multi} > > A given application service might be addressed by multiple DNS domain > names > > for a variety of reasons, and a given deployment might service multiple > > domains or protocols. The client MUST use the TLS Server Name > Identification > > (SNI) extension as discussed in {{TLS, Section 4.4.2.2}}. > I don't think this MUST is appropriate, as this is not universally required by different protocols. I would rather rephrase this as a good way of addressing this issue. > > If multiple > > protocols share the same port, the client MUST use the Application-Layer > > Protocol Negotiation as described in {{ALPN}}. > The last sentence: the client might have no idea, this is not necessarily something common or known to the client. At least not common outside of Web. To rephrase this, I think this MUST requirement is outside of scope of this document. > To accommodate the workaround that was needed before the development > > of the SNI extension, this specification allows multiple DNS-IDs, > > SRV-IDs, or URI-IDs in a certificate. > > Best Regards, Alexey
- [Uta] 6125bis -- security considerations Salz, Rich
- Re: [Uta] 6125bis -- security considerations Ryan Sleevi
- Re: [Uta] 6125bis -- security considerations Salz, Rich
- Re: [Uta] 6125bis -- security considerations Alexey Melnikov
- Re: [Uta] 6125bis -- security considerations Salz, Rich
- Re: [Uta] 6125bis -- security considerations Ryan Sleevi
- Re: [Uta] 6125bis -- security considerations Salz, Rich
- Re: [Uta] 6125bis -- security considerations Ryan Sleevi
- Re: [Uta] 6125bis -- security considerations Salz, Rich