Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
Peter Saint-Andre <stpeter@stpeter.im> Mon, 27 June 2022 19:16 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CC3CC14F74A; Mon, 27 Jun 2022 12:16:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.003
X-Spam-Level:
X-Spam-Status: No, score=-9.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=va5YWFAf; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wE2wb8wR
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSEYwtipdzyy; Mon, 27 Jun 2022 12:16:07 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FAA2C14F735; Mon, 27 Jun 2022 12:16:01 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id AC3175C01D6; Mon, 27 Jun 2022 15:16:00 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Mon, 27 Jun 2022 15:16:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1656357360; x= 1656443760; bh=vywqElsQFlcce2pIU/xbPe+5gPJ1RThffdgMlXAzfIg=; b=v a5YWFAf1OvCXyXAyEScDEIQmhrKIFvI4ywjY98SBneRdabxFG4BURbOoCcwnnYLV 9nR2qo/WS8Yny5dJaTgy5eSObxXQjOB7brX2ndjc6Z2JEmeaAEVF8cqaV6v0CWpC Y2WzuF6ZTz/v5b+ezFpCKQZG7AlT+48Q0gENS5IBMl67MmlfC1ubJlSJVcjQFf4K 9xLBQ1s6IMnCPLS2BIZg9y+1kr5ubjA4RSrgb3x15SDEKtmAnOPde6uGVC0+zbOE N/S5itTD67zKRnA36UbtI3WAtzdHOm+JUfPhFMGRu45nMip/Uw5RG3XO8neGy9Q8 bYRGUHtWYPas5NrEz+3+A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1656357360; x= 1656443760; bh=vywqElsQFlcce2pIU/xbPe+5gPJ1RThffdgMlXAzfIg=; b=w E2wb8wR1BH4sg76JQndogbXDLMieagxxmTeKdpZWB4CplcUJGJTwvgNXqBjSPf9j 7Pkh5JJcUA7qmv8MO+OKQ9tYObjQA7Rvri9GICtMlZnzTAASTNtD43kEjwGVF0Az YxwLUK8XLjlo+4+M7cwvp7ur4M28rI4FFSvs8xOIhDkEeVeb9P6RPapIN87NQy4T hzPTpN7+2sT5wsLhrel4lgCN/OdVUc0dEeduILqhepM5UU0xxYwK/VfMNtqAXKg7 S9JkIsVhhKhR4Wgb3igzxCcyCzlvvYUdsCZ9jktxd86XMu19J6ockwEk0C/6YZdm 398MHUkDmRW1T61T10gZg==
X-ME-Sender: <xms:8AG6YihHhX2plWL1-FXUu63zPFhgDYIv5Va9r15sXzas-HYbua8QQw> <xme:8AG6YjBYg8BY8hUcHi4j759NsWqodvwXUYFI5cMSJIit4YsHBHitkFxxVsnzv3ADz -A6jsMhtb_Djmy2qw>
X-ME-Received: <xmr:8AG6YqEEyNxlf81n0WaPtOnMCivk2ubSAeI4Eq67AS68um6qYukiHXkjkVJU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudeghedgudefkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfhvfevfhfujggtgfesthejredttdefjeenucfhrhhomheprfgv thgvrhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvghrsehsthhpvghtvghrrdhimh eqnecuggftrfgrthhtvghrnhepvddugeffueeiudffjeektdfgtdfhffduuedtkeekgfeg ueetledtkeefffdvteehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhepshhtphgvthgvrhesshhtphgvthgvrhdrihhm
X-ME-Proxy: <xmx:8AG6YrQKotwlEJA2hKP74DJ7KTcPqBEZD793uEpTWAQ86RRw0MFOBQ> <xmx:8AG6YvwK0Lgjq9x9Xg1vAgrTvV0iIeqJmoRbsMYTMcFqPxAnL67uyQ> <xmx:8AG6Yp6xqcPaYZqGTlIUnkK43U4kKjkDIkd7nG57rf9deaWa9NNSFg> <xmx:8AG6YhsiRtladUvmCdmAJxmC8GW2QsrRVpK105Mz16sLHmqslHx5EA>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 27 Jun 2022 15:15:59 -0400 (EDT)
Message-ID: <ff2d03f0-9444-1594-2aad-52714d30d405@stpeter.im>
Date: Mon, 27 Jun 2022 13:15:58 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
From: Peter Saint-Andre <stpeter@stpeter.im>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Valery Smyslov <valery@smyslov.net>, uta@ietf.org, draft-ietf-uta-rfc6125bis@ietf.org
Cc: uta-chairs@ietf.org
References: <002e01d87e9c$78a002e0$69e008a0$@smyslov.net> <032e01d8878f$c2e8f630$48bae290$@smyslov.net> <A7E6035E-7BCF-4BB3-BB87-D261ED98532D@gmail.com> <ae5b3a02-bcc3-2106-a39a-b67aae55d85c@stpeter.im> <ac41a613-f802-0138-1e1b-326d2baa6574@stpeter.im>
In-Reply-To: <ac41a613-f802-0138-1e1b-326d2baa6574@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/v6-2NyiXieieIeiMH9TbdKl1Fz4>
Subject: Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 19:16:12 -0000
On 6/24/22 5:07 PM, Peter Saint-Andre wrote:
>> * Which identifier types a client includes in its list of reference
>> identifiers, and their priority, is a matter of local policy - given
>> the situation today, can we have a normative recommendation for
>> clients to be strict in constructing their reference list? If we don't
>> include such normative text, we're basically telling people to make
>> the easier choice and build lenient clients.
>
> It seems to me that the local policy will depend a great deal on the
> protocol(s) that an application supports, the state of SRV-ID and URI-ID
> support in that protocol and its implementations/deployments, etc.
> However, I do think that we can formulate some more strict rules that
> ought to be followed by implementations. Text to follow.
Here is a proposed change.
OLD
Which identifier types a client includes in its list of reference
identifiers, and their priority, is a matter of local policy. For
example, a client that is built to connect only to a particular kind
of service might be configured to accept as valid only certificates
that include an SRV-ID for that application service type. By
contrast, a more lenient client, even if built to connect only to a
particular kind of service, might include both SRV-IDs and DNS-IDs in
its list of reference identifiers.
NEW
Which identifier types a client includes in its list of reference
identifiers, and their priority, is a matter of local policy. The
substance of such a policy might depend on the application
protocol that a client supports, the state of SRV-ID and URI-ID
support in that protocol, and similar factors. In general, a client
SHOULD follow a policy that is consistent with the highest level of
security and strictest rules for service identification available in
an application protocol. For instance, if the protocol defines an
SRV-ID or URI-ID for the application service type and that SRV-ID or
URI-ID is commonly included in certificates issued to such services,
then the client ought to be configured to accept as valid only
certificates that include the SRV-ID or URI-ID (not merely a DNS-ID).
Such a policy can help to avoid cross-protocol attacks.
Peter
- [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Alexey Melnikov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 tom petch
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre