Re: [Uta] 6125bis: multiple identifiers
Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 17 November 2021 05:10 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 579093A092D for <uta@ietfa.amsl.com>; Tue, 16 Nov 2021 21:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.395
X-Spam-Level:
X-Spam-Status: No, score=-1.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDwmFzITRTZo for <uta@ietfa.amsl.com>; Tue, 16 Nov 2021 21:10:30 -0800 (PST)
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D65213A0922 for <uta@ietf.org>; Tue, 16 Nov 2021 21:10:30 -0800 (PST)
Received: by mail-pj1-f45.google.com with SMTP id nh10-20020a17090b364a00b001a69adad5ebso1503712pjb.2 for <uta@ietf.org>; Tue, 16 Nov 2021 21:10:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SooNjaE2+yNMV6AMyrNdW+t+wv1x87HOjuovqTTHqLw=; b=viU/xWyfgnmI6xjAH8aCdmxKeMAE98t9NrlxUaQS7a9fnBIKaz5XQdYfWPRtv1ISD0 bparYODnJRkn0LanxzsC2jPlnewyC+qNcuonoXP3PJ4YG3yEv5lZwub4Px5RyOfhaIPE cCzoUXtsexyMT8y3iFPYoL2uowtLV6oKXpGlXpxxLQC4D9+Y8Ht2Bn/yeMoXTXsZTB1H pQKZyyAFDzWNgaHEi1CK1w+mgiA2H0aPTEju74x5PozNI3jWeBwf/XGU3o2v78vRb/qd f4fIhuUy1fjOGHFenBeA8NUVAM9AHZCjTp5S9rLmm9Ws6YhGfR12xccrye4TBSqtD+Lt 8tUg==
X-Gm-Message-State: AOAM532sfBcBWt+qipDIcIgNJ4df3mOf/rHvfA1V3BEmGM6Z6s3n7OPF 3TSq7Sdfbcm/hRAIaYwUZL9Npv06FiI=
X-Google-Smtp-Source: ABdhPJwtZrVOHouyzxVFkhMdp4BHdnj/M1QPNA9F5TRWL3d6SwDTN2Tl5Mr0fNQwaWlGTIx+iKk32A==
X-Received: by 2002:a17:902:f68e:b0:142:c60:475 with SMTP id l14-20020a170902f68e00b001420c600475mr52668391plg.8.1637125829694; Tue, 16 Nov 2021 21:10:29 -0800 (PST)
Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com. [209.85.216.53]) by smtp.gmail.com with ESMTPSA id l17sm21073819pfc.94.2021.11.16.21.10.29 for <uta@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 16 Nov 2021 21:10:29 -0800 (PST)
Received: by mail-pj1-f53.google.com with SMTP id v23so1335890pjr.5 for <uta@ietf.org>; Tue, 16 Nov 2021 21:10:29 -0800 (PST)
X-Received: by 2002:a17:90b:3149:: with SMTP id ip9mr6143915pjb.77.1637125829047; Tue, 16 Nov 2021 21:10:29 -0800 (PST)
MIME-Version: 1.0
References: <69A1C217-926E-4342-8F31-BBF5D358DCF1@akamai.com> <469f6f80-9ff7-4c60-b31a-8cdcf7dd023f@www.fastmail.com>
In-Reply-To: <469f6f80-9ff7-4c60-b31a-8cdcf7dd023f@www.fastmail.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 17 Nov 2021 00:10:18 -0500
X-Gmail-Original-Message-ID: <CAErg=HGZXrRfd0w_-jPu=5_ZTSDXBdzUCwGcQeA=zsWf1Z04=A@mail.gmail.com>
Message-ID: <CAErg=HGZXrRfd0w_-jPu=5_ZTSDXBdzUCwGcQeA=zsWf1Z04=A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: uta@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007e3c0a05d0f50fb6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/vED5Nt1wXhRY04DDUTSUauFClAM>
Subject: Re: [Uta] 6125bis: multiple identifiers
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2021 05:10:35 -0000
On Tue, Nov 16, 2021 at 7:18 PM Martin Thomson <mt@lowentropy.net> wrote: > I think that the text on presented identifiers needs work. > > There are a few different things at play here: > > The identities we use are not always as specific as the identity used in > application protocols. On the web, we use origins, which is > scheme+host+port, but the reference identity that we use for authentication > only covers the host portion of that tuple. Most notably here, different > origins on different ports, cannot be distinguished in authentication. For > that you need application-layer constructs, like HTTP's Host header field. Not necessarily; see below. Authenticating the host portion doesn't tell you anything about the > protocol that was chosen (c.f., ALPACA). For that you need to use ALPN. Or SRV-IDs, which Mozilla was previously very positive about supporting (e.g. the addition restrictions in Mozilla policy regarding SRVNames) In the context of the document text, this seems to be accurate, right? That is, you’re rightfully highlighting that DNS-IDs alone aren’t sufficient to mitigate against ALPACA, but either SRV-IDs or ALPN provide a greater degree of protection. Of course, you still have issues with wildcards, which are equally a notion of multiple identities. > > The one credential (i.e., a certificate) can present multiple identities. > This is, I think what you are trying to address here. > > >From this, I think that you want to up-level this text and talk about > what is authenticated and what that means for application protocols that > use this authentication. There are cross-protocol attacks. Attacks that > exploit ambiguity of identity. Attacks that exploit ambiguity about the > type of identity. And they all derive from the same non-specificity in the > authentication layer. > > That non-specific authentication means that - in general - you need to > have application-layer signals about what identity is in play. You don't > address that at all. ALPN is a special case in that we've hoisted that > into the TLS layer. I think I would disagree with this claim. Application-layer signals are one way to solve this problem, but they are not a necessary condition. > > SNI is another thing that is available at the TLS layer, but we've seen in > the case of HTTP that this is not something that has the same > characteristics as ALPN in negotiating/selecting a single value. It will > depend on the protocol, but in HTTP we don't rely on SNI to identify which > identity is intended, that's the purpose of a Host header field. The text > here is a little vague about the SNI thing, but I would think that you need > a stronger statement regarding clients that don't support SNI - if the > protocol relies on SNI to bind the connection to a single identity. If a > protocol relies on SNI to select an identity AND some clients don't provide > SNI THEN in order to support those clients you then need to have only that > identity in the certificate. I don’t think this conclusion is entirely obvious; namely, the claim that you need _only_ that identity. That is, the certificate needs to select the identity instead. We've seen > people deploy servers on unique IP addresses in order to support clients > that don't provide SNI, but that is not a good idea if the protocol relies > on SNI to select an identity. > > Your recommendations about TLS versions and ciphersuites might be > misleading. Yes, a consistent configuration across servers is a good > thing, but it's not TLS configuration that matters here. Yes, it is though. Just as we saw issues with TLS1.3 and QUIC, or POODLE, TLS versions (and configurations) are best thought of as different protocols that facilitate cross-protocol attacks. What you describe below is separate, and useful, but seems to dismiss one problem while mentioning a somewhat separate problem. It's general operational security. The only way in which it relates to > this general problem is that - in the event of compromise - the weakest > server in the set is the one that matters. That it's an LDAP server > doesn't matter, because compromising it also affects the mail server due to > their credentials being fungible. In this setting, TLS configuration only > matters to the extent that full server impersonation is enabled via that > configuration. That's possible, as we've seen, but there are far more ways > to achieve that. RCE for instance. This is a separate discussion, I think? That’s not to say it’s not useful, but talking about operational security seems to be trying to drive more specific guidance from what was intentionally meant as fairly generic. It appears that you may be thinking it reads the opposite though - that the current text is somehow too specific to a generic problem. Do you have specific text to propose? That might help address the disconnect here. > > The ALPN recommendation could be strengthened. A lot. I would prefer a > construct that used "MUST" conditioned on an "unless the protocol does not > support it" and maybe "in which case the identities for which the server is > used are not used for any other protocol without ALPN support" or similar > conditions. See the past list discussion that raised concerns about that proposed change, which this language was trying to address. > > On Wed, Nov 17, 2021, at 07:14, Salz, Rich wrote: > > Ryan Sleevi has proposed adding the text below to the security > > considerations section. I’ve posted about this before and had > > miniscule feedback. Barring strong objections, I intend to merge this > > near the end of the week and publish a new draft containing this and > > the name-change. > > > > ## Multiple Presented Identifiers {#security-multi} > > > > A given application service might be addressed by multiple DNS domain > names > > for a variety of reasons, and a given deployment might service multiple > > domains or protocols. TLS Extensions such as TLS Server Name > Identification > > (SNI), discussed in {{TLS, Section 4.4.2.2}}, and Application Layer > Protocol > > Negotiation (ALPN), discussed in {{ALPN}}, provide a way for the > application > > to indicate the desired identifier and protocol to the server, which it > > can then used to select the most appropriate certificate. > > > > This specification allows multiple DNS-IDs, SRV-IDs, or URI-IDs in a > > certificate. As a result, an application service can use the same > > certificate for multiple hostnames, such as when a client does not > > support > > the TLS SNI extension, or for multiple protocols, such as SMTP and > > HTTP, on a > > single hostname. The use of a single certificate and its keypair in such > > environments can make it easier to launch cross-protocol attacks, > > particularly when used in > > differing TLS configurations; see, for example, {{ALPACA}} and > > {{DROWN}}. > > Server operators SHOULD take steps to mitigate the risk of > > cross-protocol > > attacks, such as ensuring all TLS endpoints using a given certificate > > support > > exactly the same TLS version(s) and ciphersuite(s), and SHOULD use the > > TLS > > ALPN extension to ensure the correct protocol is used. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- [Uta] 6125bis: multiple identifiers Salz, Rich
- Re: [Uta] 6125bis: multiple identifiers Viktor Dukhovni
- Re: [Uta] 6125bis: multiple identifiers Martin Thomson
- Re: [Uta] 6125bis: multiple identifiers Ryan Sleevi
- Re: [Uta] 6125bis: multiple identifiers Martin Thomson