Internet Draft Paul Hoffman draft-hoffman-pkix-stringmatch-00.txt Internet Mail Consortium July 7, 2004 Steve Hanna Expires in six months Sun Microsystems Matching Text Strings in PKIX Certificates By submitting this Internet-Draft, we certify that any applicable patent or other IPR claims of which we are aware have been disclosed, or will be disclosed, and any of which we become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than a "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html Abstract Strings of text appear in many fields in PKIX certificates. Some applications need to compare the values in these fields to strings from other certificates, or to values obtained in other manners. For many string encodings, this can be done in an octet-by-octet fashion. Other encodings, however, require preparation before the strings can be compared. This document describes that preparation and when it needs to be applied. 1. Introduction Because of the shared background of PKIX, LDAP, and X.500, matching strings from PKIX certificates uses the same principles as matching strings from X.500 directories. Therefore, this document simply refers to the specification for matching LDAP strings. The [LDAP-STRINGPREP] document fully specifies all the steps needed for string comparison. This specification applies to all string encodings supported by PKIX. When matching names in certificates, having consistent and well-defined matching rules is important. Otherwise, many security problems can occur, as described in the Security Considerations section of this document. In addition to these security problems, there will likely be usability problems. In Unicode, there are often several valid ways to encode a string. For example, the character for "e with an accent" can be represented either as a single character, or as a string of two characters: the letter "e" followed by the combining accent character. These should be considered equivalent. With stringprep, they are, but with binary comparison, they are not. 1.1 Terminology The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in RFC 2119 [KEYWORDS]. 2. String Comparison To compare a string from a PKIX certificate to another string, both strings MUST be prepared as specified in section 2 of [LDAP-STRINGPREP]. All six sub-sections of that specification MUST be performed, and they MUST be performed in the order specified. 2.1 Applicability of this specification The most important certificate fields that this specification applies to are those with names that are created by and for people. These include any place a Name, GeneralName, or GeneralNames structures. The most commonly used fields in an X.509 certificate that use these structures are issuer, subject, subjectAltName, NameConstraints, and DistributionPoint. This algorithm SHOULD NOT be used for matching CRL distribution point names or cRLIssuer. A binary comparison SHOULD be used for such mapping. There is no reason why a distribution point name or cRLIssuer should not match exactly because they are both generated by the same party or its CRL issuer. Also, an interloper might use an inexact match to forge a CRL by getting a certificate whose subject name matches the cRLIssuer contained in another certificate due to the inexact match. 3. Security considerations All security considerations from [LDAP-STRINGPREP] are inherited. In addition to the security considerations mentioned in [LDAP-STRINGPREP], there are several others specific to certificates. Matching of X.500 names currently varies widely in different implementations. Some do a binary comparison for UTF8String. Some attempt to do a more sophisticated case-insensitive comparison but use an algorithm different than the one given in this specification. Some will soon be using this algorithm. We can expect that such wide variations will continue in the future during a transition period and even beyond this period if bugs are present. Often, such variations will cause systems to fail safe. Path validation will fail when a relying party uses binary comparison to match X.500 names that differ slightly if the match is performed as part of subject-issuer name chaining or permittedSubtrees processing. However, security vulnerabilities may be opened if the CA assumed binary comparison would be used and the relying party uses the more lenient matching for subject-issuer name chaining or permittedSubtrees processing. For subject-issuer name chaining, the signature check should catch the problem, but for permittedSubtrees processing, the problem remains. In specific, an X.500 name that the CA did not intend to include in the permittedSubtrees might be allowed. It is not clear that this is a substantial problem since the name will likely be very similar in appearance to a name that was meant to be allowed. More substantial problems can occur if a relying party uses binary comparison to determine that an X.500 name does not match excludedSubtrees and the CA expected that it would match because of the more lenient processing. However, this problem is probably already present since some relying parties do not perform case-insensitive comparisons of PrintableString components in a DirectoryString, even though it is required by RFC 3280. To avoid these problems, systems need to avoid the use of excludedSubtrees unless they are satisfied with a binary match against subject names and subject alternative names. 4. References 4.1 Normative references [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [LDAP-STRINGPREP] Zeilenga, K., LDAP: Internationalized String Preparation draft-ietf-ldapbis-strprep, work in progress 5. Author's address Paul Hoffman Internet Mail Consortium phoffman@imc.org Steve Hanna Steve.Hanna@Sun.COM 6. Open issues Should this specification apply to all names in an X.509 certificate, or only DirectoryStrings in X.500 names? Should this spec apply to self-signed certificates, or should they be an exception? 7. Notices Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.