Re: [authmeth] secure derivations of server hostname

[Michael Ströder <michael@stroeder.com>]

Kurt D. Zeilenga wrote:
> And with regards to mappings of "localhost" (or 127.0.0.1 or ::1), I
> view the security considerations to a local matter (that is, it may
> be secure in some environments, not in others).

If it's only secure in a minority of systems that's not a strong argument.

> This text:
>         "The client MUST use the server hostname it used to open the
>         LDAP connection as the value to compare against the server name as
>         expressed in the server's certificate.  The client MUST NOT use any
>         other derived form of name including the server's canonical DNS name."
> is problematic for a couple of reasons.
>
> First, it says "the server hostname it used to open the LDAP connection"
> instead of "the server hostname provided by the user (or application
> entity or other trusted entity)".

Yes, the wording should be changed.

> Second, derivation is fine if the result is confirmed by the user.

Well, given all the misconfigured systems today human user are trained to 
happily click away every alert box with "OK" just to step forward. :-/

> So, I'm thinking this should be reworded.
>         The client MUST use the server hostname provided by the user (or other trusted
>         entity) as the value to compare against the server name as expressed in the
>         server's certificate.  A hostname derived from the user input is to be considered
>         provided by the user only if derived in a secure fashion (e.g., DNSSEC) or confirmed
>         by the user.

I'd prefer to drop the note about user confirmation for the reason above. 
IMHO the common work-around with SSL-related dialog boxes appearing all the 
time asking the user for confirmation with most times very unclear language 
should not be mentioned in such a standard.

Ciao, Michael.