Re: [authmeth] secure derivations of server hostname

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 01:43 PM 6/30/2003, Michael Ströder wrote:
>I see some risks when relaxing the host name check.

There are certainly risks in use of derived names.  But, I think, the
risks are not so severe to warrant the absolute prohibition of their
use.  DNSSEC can be used to derive a name in secure fashion.  Even
DNS can be used in a secure fashion (e.g., with user confirmation).

And with regards to mappings of "localhost" (or 127.0.0.1 or ::1), I
view the security considerations to a local matter (that is, it may
be secure in some environments, not in others).

This text:
        "The client MUST use the server hostname it used to open the
        LDAP connection as the value to compare against the server name as
        expressed in the server's certificate.  The client MUST NOT use any
        other derived form of name including the server's canonical DNS name."
is problematic for a couple of reasons.

First, it says "the server hostname it used to open the LDAP connection" instead of
"the server hostname provided by the user (or application entity or other trusted entity)".

Second, derivation is fine if the result is confirmed by the user.

So, I'm thinking this should be reworded.
        The client MUST use the server hostname provided by the user (or other trusted
        entity) as the value to compare against the server name as expressed in the
        server's certificate.  A hostname derived from the user input is to be considered
        provided by the user only if derived in a secure fashion (e.g., DNSSEC) or confirmed
        by the user.

Kurt