IETF Logo Mail Archive

[Uta] 6125bis -- security considerations

"Salz, Rich" <rsalz@akamai.com> Tue, 28 September 2021 14:20 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EFAC3A2F59 for <uta@ietfa.amsl.com>; Tue, 28 Sep 2021 07:20:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Level:
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GGRxH6pjLXYo for <uta@ietfa.amsl.com>; Tue, 28 Sep 2021 07:20:22 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D8393A2F5E for <uta@ietf.org>; Tue, 28 Sep 2021 07:20:22 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18SCpa5n021634 for <uta@ietf.org>; Tue, 28 Sep 2021 15:20:21 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=h25+rx24TDrWUdr1iuKjwt7TMuXSixYLCQdgrrG9yZg=; b=a1Y8vf7KEdsrkyO8wioA53m9NBg0IuB3dJyTGZft0dbVA4wtZkbvWM0Gi8xXbQ5qcUw3 gjsNsrzyHJdL2CmcnZ6g87Sz5xkZoHOmQrbjd0i2uBz4OubjOVue9a5b3mfD6LmDqwZm MinB2YnW1qw3qiYA3psrFPjXBAtWyew8+XZFp9iFH4ANAxZLMvitQsdzP2aO3GERAld6 qCKkQMY78ytpfztw//4BhQweZ44pMz/B8URfit9oAMnAnrvbSaWzilo0SZZTjL5lGSzL zcYeKcB0mDWK7LTtOUpcsUVUl+s7+KxgXN1jW1rmUvQUq1HSbPHZYBDREHKLNENmdc67 xQ==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 3bc18qmqjt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <uta@ietf.org>; Tue, 28 Sep 2021 15:20:21 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 18SEIgQd012063 for <uta@ietf.org>; Tue, 28 Sep 2021 10:20:20 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.57]) by prod-mail-ppoint2.akamai.com with ESMTP id 3ba44nvtw4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <uta@ietf.org>; Tue, 28 Sep 2021 10:20:20 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Tue, 28 Sep 2021 10:20:19 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.023; Tue, 28 Sep 2021 10:20:19 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "uta@ietf.org" <uta@ietf.org>
Thread-Topic: 6125bis -- security considerations
Thread-Index: AQHXtHP3eEDLzhKzqEKvWtfWGXT+ng==
Date: Tue, 28 Sep 2021 14:20:19 +0000
Message-ID: <03D3917B-3719-4466-8739-2066C601E116@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.53.21091200
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_03D3917B3719446687392066C601E116akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-09-28_05:2021-09-28, 2021-09-28 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 adultscore=0 spamscore=0 bulkscore=0 mlxlogscore=334 malwarescore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2109280082
X-Proofpoint-GUID: FWfx8knS3NlavGTpR2mTROFZtWv_EXTz
X-Proofpoint-ORIG-GUID: FWfx8knS3NlavGTpR2mTROFZtWv_EXTz
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_05,2021-09-28_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 adultscore=0 spamscore=0 clxscore=1015 malwarescore=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 suspectscore=0 mlxlogscore=268 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2109280082
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/lvwceLToSK5xi1JT2FGnQ_0xWQI>
Subject: [Uta] 6125bis -- security considerations
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2021 14:20:28 -0000

I am proposing the following for the security section.  Any comments?  In particular, what about the “multiple identifiers” at the last few lines?  Should that go away now?  If so, that will have ripple effects.  This text is currently at https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/29


# Security Considerations {#security}

## Wildcard Certificates {#security-wildcards}

Wildcard certificates, those that have an identifier with "\*" as the
left-most DNS label, automatically vouch for any single-label host names
within their domain, but not multiple levels of domains.  This can be
convenient for administrators but also poses the risk of vouching for rogue
or buggy hosts. See for example {{Defeating-SSL}} (beginning at slide 91) and
{{HTTPSbytes}} (slides 38-40).

Protection against a wildcard that identifies a public suffix
{{Public-Suffix}}, such as `*.co.uk` or `*.com`, is beyond the scope of this
document.

## Internationalized Domain Names {#security-idn}

Allowing internationalized domain names can lead to the inclusion of visually
similar, or confusable, characters in certificates.  For discussion, see for
example {{IDNA-DEFS}}.

## Multiple Identifiers {#security-multi}

A given application service might be addressed by multiple DNS domain names
for a variety of reasons, and a given deployment might service multiple
domains or protocols.  The client MUST use the TLS Server Name Identification
(SNI) extension as discussed in {{TLS, Section 4.4.2.2}}.  If multiple
protocols share the same port, the client MUST use the Application-Layer
Protocol Negotiation as described in {{ALPN}}.

To accommodate the workaround that was needed before the development
of the SNI extension, this specification allows multiple DNS-IDs,
SRV-IDs, or URI-IDs in a certificate.

v2.23.0 | Report a Bug | By Email