Re: [VIPR] Identity certificate segregation for VIPR
Marc Petit-Huguenin <petithug@acm.org> Tue, 07 February 2012 18:45 UTC
Return-Path: <petithug@acm.org>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAE4C11E80AF for <vipr@ietfa.amsl.com>; Tue, 7 Feb 2012 10:45:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.338
X-Spam-Level:
X-Spam-Status: No, score=-102.338 tagged_above=-999 required=5 tests=[AWL=0.262, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tsl3gBXKb57J for <vipr@ietfa.amsl.com>; Tue, 7 Feb 2012 10:45:50 -0800 (PST)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id 88B0811E80AD for <vipr@ietf.org>; Tue, 7 Feb 2012 10:45:50 -0800 (PST)
Received: from [IPv6:2406:a000:f007:6f00:213:d4ff:fe04:3e08] (unknown [IPv6:2406:a000:f007:6f00:213:d4ff:fe04:3e08]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 4B9A42043C; Tue, 7 Feb 2012 18:30:43 +0000 (UTC)
Message-ID: <4F317157.9040303@acm.org>
Date: Tue, 07 Feb 2012 10:45:43 -0800
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20120104 Icedove/8.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <4F315AA1.9030703@acm.org> <CABcZeBPqqo9WoFfT7N8GrwWDyE20_Jk=rNSFwuBaZLgny4skNg@mail.gmail.com> <4F316B6F.7020308@acm.org> <CABcZeBMmFrcmF6sZp+F+93=v9k=1Mis7xHR3pdQfrB8_NtWNGQ@mail.gmail.com>
In-Reply-To: <CABcZeBMmFrcmF6sZp+F+93=v9k=1Mis7xHR3pdQfrB8_NtWNGQ@mail.gmail.com>
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "vipr@ietf.org" <vipr@ietf.org>
Subject: Re: [VIPR] Identity certificate segregation for VIPR
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2012 18:45:51 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/07/2012 10:33 AM, Eric Rescorla wrote: > On Tue, Feb 7, 2012 at 10:20 AM, Marc Petit-Huguenin <petithug@acm.org> > wrote: On 02/07/2012 09:51 AM, Eric Rescorla wrote: >>>> On Tue, Feb 7, 2012 at 9:08 AM, Marc Petit-Huguenin >>>> <petithug@acm.org> wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>>>> >>>>> The current version of RELOAD requires that the certificates used >>>>> contain one or more Node-IDs and one username. This username plays >>>>> no role in VIPR, so it is not only useless, but can also be a >>>>> source of privacy leak. >>>>> >>>>> A proposal was made in the p2psip WG some time ago for Identity >>>>> certificate segregation[1] (see also [2]), but the author is >>>>> waiting for the final version of RELOAD to publish a draft about >>>>> this. >>>>> >>>>> My proposal is to say in the RELOAD usage document that VIPR must >>>>> not use certificates with username, and to put a placeholder for >>>>> the reference to the upcoming draft about Identity certificate >>>>> segregation. >>>> >>>> Or, you could just use a dummy (random) username, e.g., a hash of >>>> the node-id. >>>> > > Yes, although that would still require an enrollment server that slightly > deviates from what is described in section 10.3 of RELOAD... > > ...or more precisely from what I understand from section 10.3, which is > that the user name stored in the certificate returned is the concatenation > of 1) the username passed as parameter of the HTTP POST, 2) the '@' > character and 3) the overlay name (there is at least one implementation I > know of that assumes that the username parameter is already in RCF822 form, > thus permitting a domain name different from the overlay name). > >> I don't read 10.3 as restricting the user name to be what is in the POST. >> The requirement is: > >> o A single name this user is allowed to use in the overlay, using type >> rfc822Name. Enrollment servers SHOULD take care to only allow legal >> characters in the name (e.g., no embedded NULs), rather than simply >> accepting any name provided by the user. > >> As authentication may not be required at all, I don't see how there can >> be a requirement that these two usernames be the same. > >> o If authentication is required, there is an form parameter of >> "password" and "username" containing the user's name and password in the >> clear (hence the need for HTTPS) > Hmmm. So I guess that this means that the following is in fact a conditional MUST: "The enrollment server MUST authenticate the request using the provided user name and password." Anyway, in the same paragraph we have this: "If the authentication succeeds and the requested user name is acceptable, the server generates..." I understand "requested user name" as the one that must be used as rfc822Name in the returned certificate. At best it is ambiguous. - -- Marc Petit-Huguenin Personal email: marc@petit-huguenin.org Professional email: petithug@acm.org Blog: http://blog.marc.petit-huguenin.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJPMXFWAAoJECnERZXWan7E5GYP/1kIwCVuzCBGVsAOpnkzcYD9 9ypZnQAe/9JolbQfNqMcU80DrvW8oTaax7ncoPunRVxXTAZWgnFuCYa49NUGd55d zyYmWgk+tN+szu7GZnpbfFP+jTY93A/KRwHacMDfm3BjukWU8lfk+IexG3+TO2GH BZ7pCWVsnou4ANVjGhY3RkhB8d4m7TC2aCzjVtj3hQP8f36JPRzFprMNUs0hWmMz tdRd/2k9ni/Li+fe7MCUL6k4QqaGmci4boUmsaChftlALh3dUj3rGRpU8qfnZT3u /kbkJEjbyaerBLwKssFe0EnHXpew72tK4Ub30k9uWTVe7mkIhUdTM8tqauiR2Gaq xyKrLn/rWPnd/ek0ZJAh4gyI2uSfDFEMtQPDFU4bmh/KCW3A9/xRa7ZyCtHotpQH spBnE8Zf26na+06o3qgVxBgH7xvvcW7SJ0YuI7TPOB2WYV6hN9LiurvFEVrY8/EU LbKVeJM5MBCwCNQDOe96RixDoSEQOyFP6zxzaDIseQq11E0m5izi86VaQH6fF+YR sMRd1S7AzmoTPfFNe1GwhcMivaLzY6xY7g2e1I1T9SdgfBwBlbUO5pIcfdYhS+v7 LroQhPIhUSyYpi9FBezmOOPqLgH8FUcRT6scYWfcx8LfhFY82G/N+uVLbUheu5SE TTftVuZJzhNuawAYXeT8 =QfH4 -----END PGP SIGNATURE-----
- [VIPR] Identity certificate segregation for VIPR Marc Petit-Huguenin
- Re: [VIPR] Identity certificate segregation for V… Eric Rescorla
- Re: [VIPR] Identity certificate segregation for V… Marc Petit-Huguenin
- Re: [VIPR] Identity certificate segregation for V… Eric Rescorla
- Re: [VIPR] Identity certificate segregation for V… Marc Petit-Huguenin
- Re: [VIPR] Identity certificate segregation for V… Eric Rescorla
- Re: [VIPR] Identity certificate segregation for V… Marc Petit-Huguenin