[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [authmeth] secure derivations of server hostname



Based on the list traffic that has occurred on this subject, I've changed the wording for authmeth -08 to read:
 
"The client MUST use the server provided by the user (or other trusted entity) as the value to compare against the server name as expressed in the server's certificate. A hostname derived from the user input is to be considered provided by the user only if derived in a secure fashion (e.g., DNSSEC)."
 
Note that I've excluded the explicit provision for derivations confirmed by the user because I believe that (1) Michael's concerns regarding the nearly automatic user acceptance of confirmation messages are real and (2) if user confirmation of a derived name is considered a secure enough derivation for a particular application, the remaining text still leaves that as an option without encouraging its use.
 
Roger

>>> Michael Ströder <michael@stroeder.com> 6/30/2003 4:14:53 PM >>>
Kurt D. Zeilenga wrote:
>
> And with regards to mappings of "localhost" (or 127.0.0.1 or ::1), I
> view the security considerations to a local matter (that is, it may
> be secure in some environments, not in others).

If it's only secure in a minority of systems that's not a strong argument.

> This text:
> "The client MUST use the server hostname it used to open the
> LDAP connection as the value to compare against the server name as
> expressed in the server's certificate. The client MUST NOT use any
> other derived form of name including the server's canonical DNS name."
> is problematic for a couple of reasons.
>
> First, it says "the server hostname it used to open the LDAP connection"
> instead of "the server hostname provided by the user (or application
> entity or other trusted entity)".

Yes, the wording should be changed.

> Second, derivation is fine if the result is confirmed by the user.

Well, given all the misconfigured systems today human user are trained to
happily click away every alert box with "OK" just to step forward. :-/

> So, I'm thinking this should be reworded.
> The client MUST use the server hostname provided by the user (or other trusted
> entity) as the value to compare against the server name as expressed in the
> server's certificate. A hostname derived from the user input is to be considered
> provided by the user only if derived in a secure fashion (e.g., DNSSEC) or confirmed
> by the user.

I'd prefer to drop the note about user confirmation for the reason above.
IMHO the common work-around with SSL-related dialog boxes appearing all the
time asking the user for confirmation with most times very unclear language
should not be mentioned in such a standard.

Ciao, Michael.