IETF Logo Mail Archive

Re: [Uta] 6125bis -- security considerations

Alexey Melnikov <alexey.melnikov@isode.com> Tue, 28 September 2021 17:06 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 620203A3520 for <uta@ietfa.amsl.com>; Tue, 28 Sep 2021 10:06:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ddNF-J85Hpt2 for <uta@ietfa.amsl.com>; Tue, 28 Sep 2021 10:06:02 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id CC9863A351D for <uta@ietf.org>; Tue, 28 Sep 2021 10:06:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1632848759; d=isode.com; s=june2016; i=@isode.com; bh=lEk8ATDuJlRtDqKLGQ+LfSGjyrLANMauFg7jMf6XQGE=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=QdsECmooy9ewP3qQiAXtwBfollha5LPOXijyKJcdIjTQIS4m5DMR0kFGSMJ9CTvuvevkRd 70v3/USb9/bib2oEQj5AXbrcOU1IScS9lGbcxP+ni1x9qbkXhA5KiM0AJQjrTagpOAqSrr AinLA+Z4YrU+H28bQMXDhmQ23kCh3LU=;
Received: from [192.168.1.222] (host5-81-100-26.range5-81.btcentralplus.com [5.81.100.26]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <YVNLdwAz0hod@statler.isode.com>; Tue, 28 Sep 2021 18:05:59 +0100
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "uta@ietf.org" <uta@ietf.org>
References: <03D3917B-3719-4466-8739-2066C601E116@akamai.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <8a1547a1-a47f-ed17-1b31-b8cd0ff77fff@isode.com>
Date: Tue, 28 Sep 2021 18:05:53 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
In-Reply-To: <03D3917B-3719-4466-8739-2066C601E116@akamai.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------7CF3B9A4FDA80ECC28E9C9DC"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/QS-H20ldOyMfuqsPxJhHo0_XgdY>
Subject: Re: [Uta] 6125bis -- security considerations
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2021 17:06:08 -0000

Hi Rich,

On 28/09/2021 15:20, Salz, Rich wrote:
>
> I am proposing the following for the security section.  Any comments?  
> In particular, what about the “multiple identifiers” at the last few 
> lines?  Should that go away now?  If so, that will have ripple 
> effects.  This text is currently at 
> https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/29 
> <https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/29>
>
> # Security Considerations {#security}
>
> ## Wildcard Certificates {#security-wildcards}
>
> Wildcard certificates, those that have an identifier with "\*" as the
>
> left-most DNS label, automatically vouch for any single-label host names
>
> within their domain, but not multiple levels of domains.  This can be
>
> convenient for administrators but also poses the risk of vouching for 
> rogue
>
> or buggy hosts. See for example {{Defeating-SSL}} (beginning at slide 
> 91) and
>
> {{HTTPSbytes}} (slides 38-40).
>
> Protection against a wildcard that identifies a public suffix
>
> {{Public-Suffix}}, such as `*.co.uk` or `*.com`, is beyond the scope 
> of this
>
> document.
>
> ## Internationalized Domain Names {#security-idn}
>
> Allowing internationalized domain names can lead to the inclusion of 
> visually
>
> similar, or confusable, characters in certificates.  For discussion, 
> see for
>
> example {{IDNA-DEFS}}.
>
> ## Multiple Identifiers {#security-multi}
>
> A given application service might be addressed by multiple DNS domain 
> names
>
> for a variety of reasons, and a given deployment might service multiple
>
> domains or protocols.  The client MUST use the TLS Server Name 
> Identification
>
> (SNI) extension as discussed in {{TLS, Section 4.4.2.2}}.
>
I don't think this MUST is appropriate, as this is not universally 
required by different protocols. I would rather rephrase this as a good 
way of addressing this issue.
>
> If multiple
>
> protocols share the same port, the client MUST use the Application-Layer
>
> Protocol Negotiation as described in {{ALPN}}.
>
The last sentence: the client might have no idea, this is not 
necessarily something common or known to the client. At least not common 
outside of Web.

To rephrase this, I think this MUST requirement is outside of scope of 
this document.

> To accommodate the workaround that was needed before the development
>
> of the SNI extension, this specification allows multiple DNS-IDs,
>
> SRV-IDs, or URI-IDs in a certificate.
>
>
Best Regards,

Alexey

v2.23.0 | Report a Bug | By Email