Re: Identity Checking in Application Protocols

To: Peter Saint-Andre <stpeter at stpeter.im>
Subject: Re: Identity Checking in Application Protocols
From: Kurt Zeilenga <Kurt.Zeilenga at Isode.com>
Date: Thu, 29 Oct 2009 19:13:31 -0700
Cc: apps-discuss at ietf.org
Delivered-to: apps-discuss at core3.amsl.com
In-reply-to: <4AEA0C78.70106 at stpeter.im>
List-archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-post: <mailto:apps-discuss@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
References: <4AE62AB7.8080607 at stpeter.im> <4AE6CB4E.9030701 at isode.com> <4AE76608.6030607 at stpeter.im> <02d901ca57f3$46023660$0601a8c0 at allison> <11E83FA6-12C3-4B1C-8BC1-92B42F8C66C8 at Isode.com> <4AE9B74E.9030908 at stpeter.im> <ED76DC63-B85D-4ED0-B6AE-59878EA1634C at Isode.com> <4AEA0C78.70106 at stpeter.im>

On Oct 29, 2009, at 2:43 PM, Peter Saint-Andre wrote:

Do you have examples of referral services and the concept ofreferral in
general?

In directory services accessible by LDAP, an LDAP server can refer theLDAP client to another LDAP server.In web services accessible by HTTP, an HTTP server can redirect theHTTP client to another HTTP server.

A URN resolver service is effectively a referral service.

In the former case, the reference identity is to be implicitlytrusted.
In the latter case, there should be no implicit trust.
I'd be curious to hear your description of "implicit trust".

To me, as used in this thread at least, "implicit trust" implies theinformation authenticity is unquestioned.

As a client is acting upon the behalf of a user, information providedby the user is implicitly trusted. That is, if a user tells a clientto return the resource located by some identifier, that identifier isnot to be questioned. However, in accessing the resource thatidentifier identifies, some resolver, redirection, referral, or likeservice is involved, the authenticity of the service's output shouldbe questioned.


Let me give you an example.

A user asks their RFC3088-supporting LDAP client to access the objectidentified by the DN <dc=example,dc=org>. The client maps this DN tothe domain example.org (using the RFC3088 algorithm) and finds DNS SRVrecords for this domain refer to server example.net. The client thenlooks up the IP address for example.net, and connects to theappropriate service at that IP address to access the named object.

I consider the reference identity in this case is <dc=example,dc=org>and hence it is implicitly trusted. The domain name example.org isdirectly derived from this reference identity via the RFC3088algorithm and, hence, can also be implicitly trusted. But the RFC3088resolver output, example.net, and the domain name to IP addressresolver output, the IP address, should not be implicitly trusted andshould be used in verification that the server is the server the userasked (via the DN) to connect to.

It would be reasonable for an LDAP client to verify the servercertificate via <dc=example,dc=org> and DN-valued subject information(the particulars of which are reasonably beyond the scope of this I-D)and/or verify the server certificate using example.org and domain-valued subject information.


-- Kurt

References:
- Identity Checking in Application Protocols
  - From: Peter Saint-Andre
- Re: Identity Checking in Application Protocols
  - From: Alexey Melnikov
- Re: Identity Checking in Application Protocols
  - From: Peter Saint-Andre
- Re: Identity Checking in Application Protocols
  - From: tom.petch
- Re: Identity Checking in Application Protocols
  - From: Kurt Zeilenga
- Re: Identity Checking in Application Protocols
  - From: Peter Saint-Andre
- Re: Identity Checking in Application Protocols
  - From: Kurt Zeilenga
- Re: Identity Checking in Application Protocols
  - From: Peter Saint-Andre

Prev by Date: Review of metalink I-D
Next by Date: Re: draft-nottingham-site-meta-03 --> -04
Previous by thread: Re: Identity Checking in Application Protocols
Next by thread: Re: Identity Checking in Application Protocols
Index(es):
- Date
- Thread

Re: Identity Checking in Application Protocols

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.