[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [authmeth] secure derivations of server hostname

To: Michael Ströder <michael@stroeder.com>
Subject: Re: [authmeth] secure derivations of server hostname
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 30 Jun 2003 11:40:41 -0700
Cc: Roger Harrison <RHARRISON@novell.com>, ietf-ldapbis@OpenLDAP.org, rlmorgan@washington.edu
In-reply-to: <3F007813.6000903@stroeder.com>
References: <seffc8fc.057@prv-mail20.provo.novell.com> <seffc8fc.057@prv-mail20.provo.novell.com>

I'll give two examples.

1) a client could derive a hostname from "localhost" in a secure fashion.
2) a client could derive a hostname from a domain name in a secure fashion
   using DNSSEC.

I know of implementations doing 1).

Kurt

At 10:49 AM 6/30/2003, Michael Ströder wrote:
>Roger Harrison wrote:
>>I can't provide some examples, because I'm not sure what, precisely, Bob had in mind when he made his suggestion.
>
>Without the rationale and some real-world examples I'm rather scared to relax the checking of the server's hostname in any way.
>
>Ciao, Michael.
>
> Bob, can you give us some
>>insight here?
>> 
>>Thanks,
>> 
>>Roger
>> >>> Michael Ströder <michael@stroeder.com> 6/29/2003 6:44:54 AM >>>
>>Roger Harrison wrote:
>> > There is an outstanding work item, G.25, in authmeth-05 regarding
>> > the use of derived forms of the server's name when performing a the
>> > server identity check while processing a StartTLS request. Currently,
>> > the wording of section 4.1.6 says:
>> >
>> > "The client MUST use the server hostname it used to open the LDAP
>> > connection as the value to compare against the server name as expressed
>> > in the server's certificate. The client MUST NOT use any other derived
>> > form of name including the server's canonical DNS name."
>> >
>> > According to my notes, Bob Morgan offered to provide some wording that
>> > would relax this restriction to allow usage of derivations of the server
>> > name that are provided securely. If Bob or some other knowledgeable
>> > member of the WG would help me with the proper wording or some
>> > information about what is acceptable, I will make the needed changes and
>> > close out the work item.'
>>Could you please give some examples of "derivations of the server
>>name that are provided securely"? Is this about using host names in X.509v3
>>subjectAltName extension? I'm rather scared about relaxing this since I
>>suspect that unsecure DNS is used to get the derivation of the server name.
>>Ciao, Michael.
>

Follow-Ups:
- Re: [authmeth] secure derivations of server hostname
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: [authmeth] secure derivations of server hostname
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: [authmeth] secure derivations of server hostname
Next by Date: Re: [authmeth] secure derivations of server hostname
Index(es):
- Chronological
- Thread