[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [authmeth] secure derivations of server hostname
Kurt D. Zeilenga wrote:
And with regards to mappings of "localhost" (or 127.0.0.1 or ::1), I
view the security considerations to a local matter (that is, it may
be secure in some environments, not in others).
If it's only secure in a minority of systems that's not a strong argument.
This text:
"The client MUST use the server hostname it used to open the
LDAP connection as the value to compare against the server name as
expressed in the server's certificate. The client MUST NOT use any
other derived form of name including the server's canonical DNS name."
is problematic for a couple of reasons.
First, it says "the server hostname it used to open the LDAP connection"
instead of "the server hostname provided by the user (or application
entity or other trusted entity)".
Yes, the wording should be changed.
Second, derivation is fine if the result is confirmed by the user.
Well, given all the misconfigured systems today human user are trained to
happily click away every alert box with "OK" just to step forward. :-/
So, I'm thinking this should be reworded.
The client MUST use the server hostname provided by the user (or other trusted
entity) as the value to compare against the server name as expressed in the
server's certificate. A hostname derived from the user input is to be considered
provided by the user only if derived in a secure fashion (e.g., DNSSEC) or confirmed
by the user.
I'd prefer to drop the note about user confirmation for the reason above.
IMHO the common work-around with SSL-related dialog boxes appearing all the
time asking the user for confirmation with most times very unclear language
should not be mentioned in such a standard.
Ciao, Michael.