So let me start with I think there is great information in here and I think it 
should be published as a standards track RFC however I do think there are some 
issues with the relation with this draft and the realities of what would help 
improve security in deployment of SIP, HTTP, IMAP, XMPP etc. 

There are many places where this draft makes choices to improve the security 
from many current practices. At face value this seems like a good thing but 
it's not always. The thing reducing the overall security available to users of 
TLS is not if certs use CN-ID or DNS-ID, it is that it's such a PITA to deploy 
a TLS  server that people choose to not use TLS at all. Everywhere there is a 
trade off between making things marginally more secure, or making things 
cheaper and easer to deploy, I think we need to seriously consider the cheaper 
and easier approach. Yes, some things are just broken even if they are easy and 
obviously we can't do those. Let me give an example of this. I looked at the 
cert for the domains for the authors of this draft. www.cisco.com has 3 DNS 
names even though as fas as I can tell one of these are for something that 
would typically be used in a ftp URI and the other HTTP URI. This is because it 
makes it easier and cheaper for them to use TLS yet seems to 
 go against the recommendation of this "BCP". Then I went over the 
www.paypal.com domain which uses, gasp, a CN-ID. Do we really believe that 
paypal is seriously compromising their security by using a CN instead of 
URI-ID? If so, how? I'm pretty sure the paypal guys know how to run a secure 
web server. With the exception of Microsoft small business server certificates 
(which are outrageously expensive by the way) it pretty hard to get SRV name 
certs. In making these recommendations, did the TLS WG consider the relative 
prices of various types of certificates? Lets say I had a certificate for the 
domain example.org because I was using it for email and it has a CN because I 
got it years ago. Now lets say I am going to go deploy a SIP service on 
example.org. My position is that best way to encourage the use of security on 
the internet is to just reuse the certificate I have. It cheap, it's easy, it 
secure enough even if it does make you feel a bit dirty. I think Jeff disagrees 
w
 ith me, we argued for years about this topic and my understanding is his 
position is that it would be better to say that all new deployments MUST not 
use a CN name because it's less secure. Give the prevalence of CN on the 
internet today, I think it is fine to tell people how DNS-ID is better but I 
don't think it's OK to tell them they should not use CN-ID and I definitely 
don't think it is OK to tell implementors they don't need to implement CN-ID. 

I encouraged Chris to write this draft long ago and what we had discussed at 
the time was forming a RFC with one or more boiler plate pieces of text that 
could be used in creation of the name matching section of new protocols that 
got developed. I was thinking of something similar to the way we use rfc 5226 
for writing IANA consideration section. Instead we have a document that is 
creating a very complex situations about whats normative. This draft is a BCP 
level, and it says you have to do everything in PKIX and PKIX takes precedence. 
That is basically elevating PKIX to a BCP without appropriate process review. 
Next this draft contradicts the procedures in existing protocols and says that 
it does not apply to the existing protocols but that it would take precedence 
over any future updates of existing protocols that use TLS within the scope 
specified here. I do not believe you have the consensus of the people woking on 
SIP that the next time some specification is marked as an
  UPDATE to 3261, that implementations need to implement the procedures in this 
draft. Furthermore, I think that would be counter productive. I think you 
should make it clear this guidelines for designers of new protocol and people 
updating existing protocol and that these protocols could make their own 
choices but would want to take into account the information in this draft. When 
I read the sentence, 
  "However, the best current practices described here can
   be referenced by future specifications, including updates to
   specifications for existing application protocols if the relevant
   technology communities agree to do so."
I think that is exactly the right solution to the problem. However, that not a 
BCP, thats a standards track spec. Furthermore, I think this draft is going to 
have all the normal bugs etc of any other spec that defines algorithms and such 
it should proceed through the standards track process. If this draft is going 
to go as a BCP, that text contradicts what a BCP is and needs to come out and 
the rest of the draft be adjusted appropriately. My preference would be that 
this draft be standards track. Its writing exactly the same sort of normative 
algorithm text that we put in all kinds of other thing like SIP, HTTP, and even 
TLS. They are all standards track. This should be the same. 

Most RFCs today that use TLS have a page plus or minus that tells an 
implementer what they need to know about matching names in certs. This draft 
move that to 30 to 50 pages depending on how you count. Most implementers are 
just going to ignore this thus worsening the security situation. Think about 
why is the part implementers need to read 10x longer than existing deceptions - 
this just seems wrong. Now it's easy to blow off this type concern and say get 
over it, it's the same number of lines of code they need to write. But the 
problem is when an implementors goes to start doing this and encounters 
something that is 50 pages long, they instantly decide this is a big task and 
down it goes on the priority list of actually happening. The other problem is 
that even thous it is long, it is still very confusing on how to do things 
(such at URI). I'll provide more detailed examples of this later in this email. 
If the document was restructured to have all the normative text in one s
 hort simple description and the rest moved to an appendix, it would be much 
easier to get people to take this seriously and easier to review that it was 
correct. 

My final big issue is the use of normative language. Lets say there are two 
procedures A and B and we 100% consensus that B is better than A but we still 
have to support A for existing deployment reasons. To describe this, the text 
this draft would use is is MUST do A and SHOULD NOT do B. Now reading 2119 it 
is pretty clear that SHOULD NOT means you don't implement it unless there are 
real good reasons to implement it. So on the things were we agree A is 
preferred to B but you need both for backwards compatibility, this draft needs 
to say MUST implement A and MUST implement B but deployments are encouraged to 
use B as we are trying to move away from A. I think the whole document needs a 
careful read checking for this issue. You can insert the usual rant here about 
why SHOULD is a awful word in specs 90% of the time it used because implementer 
thinks it means "ignore rest of sentence". For example,  section 5.4 discusses 
they this spec continues to mandate protocols MUST suppo
 rt CN yet this draft continually use "SHOULD NOT" when what it really means is 
MUST implement. This is going to confuse implementors of IETF specification and 
be ignored by operators. Given the goals of this spec it would be much better 
if it was clearly defining what IETF required implementers of protocols to do 
instead of confusing that with how we wish security was deployed. 

 
On to the nits.

Take an applications like a web server. Is the preferred thing in a cert a 
DNS-ID or a URI-ID. My reading of the 3.3 is that URI-ID is preferred over 
DNS-ID yet the examples don't match that. I think point 3 in section 3.1 tries 
to explain this away but I don't understand that - clearly web browsers use a 
URI. 

The rules in section 3.1 don't make sense for a CA. How will the CA know if the 
cert I want is going to be used for a protocol that uses SRV?

In section 3.2, in the imap example, you are saying that if I configure my imap 
server to mail.example.com and it presents a certificate with a DNS-ID of 
example.com that this is OK. That does not sound OK to me but I don't know how 
IMAP works. In the SIP example, the cert should have a SRV and DNS name too. As 
well as a CN if you actually want it to work in the real world. 

In section 4.2.1 you have a long discussion on how the information used must 
come from a way that can't be tampered with over the internet. I generally 
agree with this but would like to point out that protocols like LOST (see 
section 18 of rfc5222) specially do the opposite of this and actually match the 
cert agains the output of NAPTR process not the input to the NAPTR process.

The example just seem plain wrong in some cases. Take for example section 4.2.2 
where the SIP example has only a URI reference identifiers and no DNS yet the 
section right before this has said the list MUST include a DNS-ID. This text 
has been through how many reviews and Last Calls? The problem here is that this 
draft is too long to review for stuff like this. Even after the IESG is done 
reviewing it, statistics suggest it will still be littered with bugs like this 
and implementors will use the examples to guide them. If someone implements 
what is in the example, it will break in lots of sip deployments. 

There is a whole algorithm about matching various ID types, but the note about 
you ignore CN if you have other things is off in "Security Warning" very much 
out of any flow of the algorithm description then pointed out again in some 
other section. It's not wrong, but it's a bit weird from an implementer point 
of view. 

Many applications do need to deal with IP matching as well as domain names. The 
way this text is written here makes it harder to figure out how and where to 
mix that in. I'd rather see it just dealt with than instead of making it out of 
scope. Obviously it's not common on internet but it is common on private 
networks and walled gardens where many of the protocols were are talking about 
are deployed. Many of the "internet of things" people I work with have no 
intention of using DNS at all. I scoffed at multiple large service providers 10 
years ago when they said they were not using DNS with SIP but many still use 
IPs. This sounds less insane when you consider the major OS don't ship with an 
asynchronous DNS library. 

I'm baffled on why checking the service name in a SRV record is a SHOULD not a 
MUST. Could you add text explain why and when one would not check it. If you 
were in a really good mood you could do that for all the SHOULDs. Actually, 
when I read section 4.5 carefully, I think it literally says that when using a 
URI, checking the domain name is a SHOULD not a MUST. Surely check the domain 
name matches is not a SHOULD level sort of thing. 

Section 5.4. I have no idea why it matters that some major OS does not support 
SNI. Even if that OS did support SNI, many many applications running on that OS 
and the others would not support SNI. It seems like it is the applications 
acting as TLS servers and clients that are the important thing, not the OS. 

How you process URI-ID needs work. I could not figure out how to implement 
given the text in the draft as is. Even ignoring the special tar pit the SIP 
guys dug for themselves with tel URL processing, just the normal sip, sips 
issues seems unclear. 

This seems like a long list of complaints delivered fairly late but, once 
again, I really do like much of the information in here and think it should be 
published as PS - it just would be significantly improved with a bit of a 
re-factored and clean up. If this had been run through the TLS working group, I 
would have caught all of this in the WG LC. This is a draft that, as a BCP,  
profoundly effects many of the protocols I work on including SIP but as far as 
I can tell has not done much to gather the consensus of the people working on 
protocol that this draft changes - I don't recall hearing about it until after 
it went to the IESG so I'm pretty un apologetic about providing these comments 
during IETF LC. 

In summary, I like the information in this but I think it still has many small 
things that need fixing and needs to be changed to get crisp about what 
implementors need to do and drop the confusing stuff about how we wish 
operators and CA might use certificates. I also feel strongly that the right 
way to look at this draft is, as that draft says
 "practices described here can
   be referenced by future specifications, including updates to
   specifications for existing application protocols if the relevant
   technology communities agree to do so"
and that for that reason it has to be standards track not BCP. If it was not 
being written and pushed by two IESG members, I don't think we would even be 
discussing if it should be a BCP. 








_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Reply via email to