[NNTP] STARTTLS diffs
EKR
ekr at networkresonance.com
Tue Jun 14 09:14:31 PDT 2005
Ken Murchison <ken at oceana.com> writes:
> + During the TLS negotiation, the client MUST check its understanding
> + of the server hostname against the server's identity as presented
> + in the server Certificate message, in order to prevent man-in-the-
> + middle attacks. Matching is performed according to these rules:
> +
> + - The client MUST use the server hostname it used to open the
> + connection (or the hostname specified in TLS "server_name"
> + extension [TLS-EXT]) as the value to compare against the server
> + name as expressed in the server certificate. The client MUST
> + NOT use any form of the server hostname derived from an insecure
> + remote source (e.g., insecure DNS lookup). CNAME
> + canonicalization is not done.
> +
> + - If a subjectAltName extension of type dNSName is present in the
> + certificate, it SHOULD be used as the source of the server's
> + identity.
> +
> + - Matching is case-insensitive.
> +
> + - A "*" wildcard character MAY be used as the left-most name
> + component in the certificate. For example, *.example.com would
> + match a.example.com, foo.example.com, etc. but would not match
> + example.com.
> +
> + - If the certificate contains multiple names (e.g. more than one
> + dNSName field), then a match with any one of the fields is
> + considered acceptable.
> +
> +
> + If the match fails, the client SHOULD either ask for explicit user
> + confirmation, or terminate the connection with a QUIT command and
> + indicate the server's identity is suspect.
In some sense this is fine, as it embodies the RFC 2818 model of the
universe. However, it doesn't really match up so well with a
self-signed cert model, in which it doesn't really matter what
the DN is, b/c you're trusting it explicitly anyway... I mean,
you *can* check the domain name, but why bother....
I'm not sure what model you expect people to be using...
-Ekr
More information about the ietf-nntp
mailing list