IETF Logo Mail Archive

Re: [Uta] FW: [Ntp] Wildcards in NTS certificate checking

"Salz, Rich" <rsalz@akamai.com> Mon, 02 May 2022 14:59 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF043C159A30 for <uta@ietfa.amsl.com>; Mon, 2 May 2022 07:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.671
X-Spam-Level:
X-Spam-Status: No, score=-2.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVvzUA7g3iby for <uta@ietfa.amsl.com>; Mon, 2 May 2022 07:59:16 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 039DBC159A23 for <uta@ietf.org>; Mon, 2 May 2022 07:59:15 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 242Dx0EL014009; Mon, 2 May 2022 15:59:13 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=D0jZB3/Bn/oB+H1EvkRwusho0bRBMy9PEStOmOe8o8c=; b=VQO1tGIfqG3htXwgZMNGoV/sQviSiholnv5vvFBlNFd9KbvrM+rO9NoBEzzriEGB0Gld C+Uw/bg7MA8s7R1jEdVCrVC9cyJauAFXCpbg5yhi7Mvv0381wx6k3IqfJCUwGUd8aaAM jILEzPDyr4xu06g+Aebaoxk+no5gqOd8JH5v5GZ0bTU7uf9wC21M0+xLbOuelwT2koTV xMxX1w4eu3fkTEW2mb4ku6qFxNPo/pMD6yjSb0awyY2tpxyoaBnM+BA64uBQ9jdl13yo Cco0+AvuDNUBZa+XBEc06c2K3FeoFSXwhOLmBMrfBgv3/sD5ao5qFVcwSbVGWs/xi8oN 7w==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 3frsywf5kb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 02 May 2022 15:59:13 +0100
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 242EnohH002927; Mon, 2 May 2022 07:59:12 -0700
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint5.akamai.com with ESMTP id 3fs33bujnx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 02 May 2022 07:59:12 -0700
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag4mb2.msg.corp.akamai.com (172.27.91.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.22; Mon, 2 May 2022 10:59:12 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Mon, 2 May 2022 10:59:11 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.033; Mon, 2 May 2022 10:59:11 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Peter Saint-Andre <stpeter@stpeter.im>, "uta@ietf.org" <uta@ietf.org>
CC: Hal Murray <halmurray@sonic.net>
Thread-Topic: [Uta] FW: [Ntp] Wildcards in NTS certificate checking
Thread-Index: AQHYU82Nyiq96q7J2UqxrNSbXdK12Kz3ivsAgACenoCAE5kogA==
Date: Mon, 02 May 2022 14:59:11 +0000
Message-ID: <285FD997-7207-4C9A-98AD-11741963773F@akamai.com>
References: <rsalz@akamai.com> <277EB42F-0583-4FD1-8A92-FA2DAEF691AD@akamai.com> <20220419091212.4342D28C1D8@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <632A9247-A80B-40EC-A260-E349839A33D1@akamai.com> <b44ee132-cedb-6926-3fb9-e78a4fbc5327@stpeter.im>
In-Reply-To: <b44ee132-cedb-6926-3fb9-e78a4fbc5327@stpeter.im>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.60.22041000
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <9F4FE57F09A32F43A222388F2D23E3AD@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-05-02_04:2022-05-02, 2022-05-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205020116
X-Proofpoint-ORIG-GUID: B2VN5zcnnnY30aE0pNkcz6mVR8TdBEPB
X-Proofpoint-GUID: B2VN5zcnnnY30aE0pNkcz6mVR8TdBEPB
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-02_04,2022-05-02_03,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 adultscore=0 suspectscore=0 lowpriorityscore=0 spamscore=0 clxscore=1015 impostorscore=0 mlxscore=0 mlxlogscore=999 phishscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205020117
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/b4zke-bhbsMK52IONGdjG9Gnb5g>
Subject: Re: [Uta] FW: [Ntp] Wildcards in NTS certificate checking
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 14:59:19 -0000

This is now an open issue https://github.com/richsalz/draft-ietf-uta-rfc6125bis/issues/44


On 4/19/22, 7:42 PM, "Peter Saint-Andre" <stpeter@stpeter.im> wrote:

    On 4/19/22 12:14 PM, Salz, Rich wrote:
    > A new reader in the NTP working group had some feedback on 6125bis.
    > 
    >>     The part that I was looking for was an explicit statement that the "SHOULD NOT
    >      contain the wildcard" has been dropped.  It might help to add something like
    >      that to the 3rd bullet in section 1.2
    > 
    > I propose to add one sentence:
    > 
    > * Wildcard support is now the default.
    >    Constrain wildcard certificates so that the wildcard can only
    >    be the complete left-most component of a domain name.

    +1

    > Does anyone disagree that support for wildcards is the default state of things?

    Bowing to deployment reality, I agree.

    >>     IP Addresses are out of scope.  I'd like to know more, preferably a sentence
    >      or paragraph but at least a good reference.  It seems like a good way to avoid
    >      all the security tangles with DNS.
    > 
    > As the draft is about *names* I am not sure what should be done here.  Any ideas from the WG? It does say
    > * Identifiers other than FQDNs.
    >    Identifiers such as IP address are not discussed. In addition, the focus of ...
    > 
    > Do we need more rationale?

    Personally I don't see the need for a rationale (e.g., pointing out the 
    percentage of certificates containing IP addresses - IIRC Jeff had some 
    numbers on that when we were working on RFC 6125 and it was 1% or less). 
    If someone wants to write a specification about IP addresses as names in 
    certificates, they are free to do so. In RFC 6125, Jeff and I had to 
    limit the scope or the document would have been even longer.

    >>     Last paragraph before section 4:  "MUST state" that wildcards are not
    >      supported.  How does that apply to existing RFCs?  Has that item been added to
    >      the reviewers checklist?  I think it would clarify things if future RFCs would
    >      state that wildcards are supported.
    > 
    > The current draft says that if you don't support wildcards you MUST state so in your documents. Existing RFCs aren't bound by this draft.  Does anyone think this is a problem?

    Having this apply to future documents that cite 6125bis seems fine to me.

    >>     Section 6.2, last paragraph, matching DNS name and service type.  It's
    >      probably obvious, but worth stating.  If I'm trying to find a match for
    >      www:www.example.com or sip:voice.example.com, will that match a certificate
    >      for sip:www.example.com?
    > 
    > Any suggestions on wording to address this? I think the rules in section 4.1 are clear, but any thoughts on how to improve it?

    Perhaps we should add more examples, specifically to Section 6.4 on 
    application service types. As I understand the situation mentioned by 
    the original poster, sip:www.example.com (with both domain name and 
    application service type) would not result in a match.

    Peter

v2.23.0 | Report a Bug | By Email