ietf
[Top] [All Lists]

Re: Review of draft-saintandre-tls-server-id-check

2010-09-13 22:33:40
On 9/13/10 6:03 PM, Stefan Santesson wrote:
Peter,
Comments in line;

Ditto.

On 10-09-13 9:16 PM, "Peter Saint-Andre" <stpeter(_at_)stpeter(_dot_)im> 
wrote:

On 9/13/10 12:39 PM, Stefan Santesson wrote:
Peter,

On 10-09-13 6:08 PM, "Peter Saint-Andre" <stpeter(_at_)stpeter(_dot_)im> 
wrote:

Hi Shumon,

As I see it, this I-D is attempting to capture best current practices
regarding the issuance and checking of certificates containing
application server identities. Do we have evidence that any existing
certification authorities issue certificates containing both an SRVname
for the source domain (e.g., example.com) and dNSName for the target
domain (e.g., apphosting.example.net)? Do we have evidence that any
existing application clients perform such checks? If not, I would
consider such complications to be out of scope for this I-D.

That said, we need to be aware that if such usage arises in the future,
someone might write a document that updates or obsoletes this I-D; in
fact the present authors very much expect that such documents will
emerge after the Internet community (specifically certification
authorities, application service providers, and application client
developers) have gained more experience with PKIX certificates in the
context of various application technologies.

Peter

I would like to turn the question around and ask why this specification need
to have an opinion on whether a relying party feels he have to check both
host name and service?

Stop right there. :) I sense a possible source of confusion. What do you
mean by "host name" and what do you mean by "service"?

Sorry for sloppy use of words.

With host name I mean here the actual DNS name of the host, which might be
host1.example.com (dNSName)

Or which might be apphost37.example.net or whatever...

By service I mean the service under a given domain, which for the same host
might be _xmpp.example.com (SRVName)

OK.

But what does dNSName=host1.example.com + SRVName=_xmpp.example.com
actually mean? I see three possibilities:

1. "Connect to example.com's XMPP service only if it's hosted on
host1.example.com"

2. "Don't connect to host1.example.com if you are looking for something
other than example.com's XMPP service" (i.e., if you want the IMAP
service or anything else at example.com, terminate the connection)

3. "The connection is fine if you're looking for (a) any service at
host1.example.com, *or* (b) example.com's XMPP service"

In my experience running the XMPP ICA for a few years, I found that our
root CA would issue dNSName=example.com + SRVName=_xmpp.example.com but
not dNSName=host1.example.com + SRVName=_xmpp.example.com (i.e., the
name in both dNSName and SRVName was the same). Yes, that is anecdotal,
but I think it makes some sense, because IMHO a CA is not going to "get
involved" with the particular machine that hosts a service (i.e., to
differentiate between the DNS domain name of the application service and
the DNS domain name of the hosting machine / provider).

Under the current rules, using this example I read it that the following
apply:

- If you are just checking the SRVName you will not learn the legitimate
host DNS name. 

Are there any application clients today that would check only the SRVName?

So a certificate issued to host2.example.com will be accepted
even if you intended to contact host1.example.com (even if that information
is in the cert).

In what sense does the application client "intend" to contact
host1.example.com? The user controlling a client (a browser or an email
client or an IM client or whatever) intends to contact example.com, not
host1.example.com or apphost37.example.net or whatever.

- If you just check the dNSName, you will miss the fact that you talk to the
desiganted ldap server and not the xmpp server (even if that information is
in the cert).

Correct. If that is a problem in your user community or operating
environment, then you need to find a better client.

IMHO it is almost a best practice for the DNS domain names in the
various presented identifiers of the certificate (dNSName, SRVName,
uniformResourceIdentifier, etc.) to be the same. I think we in the
Internet community don't yet have enough experience to say that with
high confidence, which is why I'm not ready to push on the point in this
I-D. However, let us consider the example of a delegated domain, such as
dNSName=apphost37.example.net + SRVName=_xmpp.example.com, which might mean:

1. "Connect to example.com's XMPP service only if it's hosted on
apphost37.example.com"

2. "Don't connect to apphost37.example.com if you are looking for
something other than example.com's XMPP service" (i.e., if you want the
IMAP service or anything else at example.com, terminate the connection)

3. "The connection is fine if you're looking for (a) any service at
apphost37.example.com, *or* (b) example.com's XMPP service"

In this case, I think #3 is clearly wrong because the user doesn't know
anything about apphost37.example.net and doesn't intend to connect to
that host.

#1 and #2 are close to equivalent, because they attempt to establish a
firm association between a host name (apphost37.example.net) and an
application service (example.com's XMPP service). Is that association
desirable? I'm not convinced (mainly because, to reiterate, I think that
end users don't know or care about the hosting provider or machine).
However, for such an association to be helpful, we'd need (i) clients
that consistently check both identifier types and (ii) CAs that certify
both the application service and the hosting provider. Further, I think
we'd also need (iii) a well-defined semantic that says dNSName is used
to represent the DNS domain name of the hosting provider or machine --
and as far as I can see dNSName does not have that meaning. Given that
we don't have (i), (ii), or (iii), I question the need for this line of
thinking.

In this I-D, we talk about "DNS domain name" and "service type", which
map quite well to _Service.Name from RFC 4985: the DNS domain name is
the "source domain" provided by the user or configured into the client
(e.g., "example.com") and the "service type" is a given application
protocol that could be serviced by the source domain (e.g., "IMAP").

This I-D is attempting to gently nudge people in the direction of
checking both the DNS domain name and the service type. IMHO this is
consistent with considering the SRVName and uniformResourceIdentifier
subjectAltName entries as more tightly scoped than dNSName or CN, and
therefore as potentially more "secure" in some sense (the subject might
want to limit use of a particular certificate to only the service type
identified in the SRVName or uniformResourceIdentifier).

If by "host name" you mean "target domain" as defined in the I-D (and
mapping to "Target" from RFC 2782) then we have more to discuss.

I'm not against describing the typical case, as long as this specification
does not imply that a relying party that has a reason to check two name
types is doing something wrong.

That is not the intent of this I-D, however that would be functionality
over and above what this I-D defines.

I have no extremely good examples of practical implementation here but
checking both host name and service seems like both extremely easy and good
practice.

With respect to revisions to this I-D, the lack of good examples
troubles me because we have been trying to abstract from common usage,
not to define guidelines for use cases that have not yet been defined,
implemented, and deployed.

Given that you would prefer to leave the door open to more advanced
checking rules, I think you would object to this text in Section 4.3:

   Once the client has constructed its list of reference identifiers and
   has received the server's presented identifiers in the form of a PKIX
   certificate, the client checks its reference identifiers against the
   presented identifiers for the purpose of finding a match.  It does so
   by seeking a match and stopping the search if any presented
   identifier matches one of its reference identifiers.  The search
   fails if the client exhausts its list of reference identifiers
   without finding a match.

You are saying that it is not necessarily appropriate to stop the search
once a single match is found, because the client might be configured to
look for multiple matches (e.g., a match against both the source domain
and the target domain). Would you like to suggest text that covers such
a case? Here is a possible rewrite of Section 4.3 that might address
your concern.

###

4.3.  Seeking a Match

   Once the client has constructed its list of reference identifiers and
   has received the server's presented identifiers in the form of a PKIX
   certificate, the client checks its reference identifiers against the
   presented identifiers for the purpose of finding a match.  The search
   fails if the client exhausts its list of reference identifiers
   without finding a match.  The search succeeds if any presented
   identifier matches one of the reference identifiers, at which point
   the client SHOULD stop the search.

      Implementation Note: A client might be configured to perform
      multiple searches, i.e., to match more than one reference
      identifier; although such behavior is not forbidden by this
      document, rules for matching multiple reference identifiers are a
      matter for implementation or future specification.

      Security Note: A client MUST NOT seek a match for a reference
      identifier of CN-ID if the presented identifiers include an
      SRV-ID, URI-ID, DNS-ID, or any application-specific subjectAltName
      entry types supported by the client.

   Detailed comparison rules for finding a match are provided in the
   following sections.


This sounds better to me.

If I'm not totally wrong in my example above I also think it would be good
with a security note stating that an SRVName may not provide the full host
DNS name, and if it is important to verify the host DNS name, you must
verify the dNSName in addition to what else you are checking.

See above. You and I seem to continually run aground on a disagreement
over whether it makes any sense for an application client (or the user
thereof) to know of, care about, or verify the DNS domain name of the
hosting machine / service / provider. That's the basis for our previous
discussion about RFC 4985 and it's the basis for our current discussion
about dNSName vs. SRVName. I simply don't understand why a normal human
user of an application client would ever want or need to be aware of the
hosting provider for a given application service, why a CA would want to
certify an association between a hosting provider and a given
application service, or why we would ever assume that the dNSName is
meant to identify the hosting provider whereas the SRVName is meant to
identify the application service. Cementing such an association in those
three ways is outside the scope of this I-D, even if one accepts the
premise that such an association is a good idea (which I don't). Can we
agree to disagree here and, rather than add a note about the security
features of such an association, instead add a note to Section 1.3.2
("Out of Scope") explaining why any possible association between the
application service and the hosting machine / service / provider is out
of scope for this I-D? Perhaps in the future we will have advanced far
enough to define best practices for such associations, but right now it
seems to me that we lack a firm basis for doing so.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf