On Fri 2015-01-30 11:09:10 -0500, Rob Stradling wrote: > OK, let's discard option 1 and option 3. Before we settle on option 2, > here's an option 4 to consider... > > 4. "?" matching =1 character in a redacted label. > > Examples: > "dkg.example.net" would be redacted as "???.example.net". > "???.example.net" cannot match "jeremy.example.net", because the label > lengths are different (i.e. 3 != 6). > However, "???.example.net" might match "rob.example.net". > > "topsecret.secret.example.com" would be redacted as > "?????????.??????.example.com". > > > I don't think there's anything to gain from redacting the length of a > label, so I prefer option 4. Any thoughts?
Say i've got a dozen machines in my domain, all using an obscure naming scheme that you won't be able to guess. with option 2, i request and log a single cert for all of them, but someone monitoring the log can't tell whether i've got a dozen services or a single service with 11 backup certs. My naming scheme might scatter the lengths of the names between 6 and 15 characters, perhaps into 8 different lengths for the 12 services (there is some random overlap, and some lengths happen to not get hit). With option 4, you now know that i have at least 8 different services certified. furthermore, you know how many characters exactly to search in. Why would i want to leak this information if i'm interested in avoiding enumeration? I also think option 4 is currently ambiguous because of IDN: Is the '?' one character in IDN? or one byte in UTF-8 representation of the IDN? or one character in punycode? We can clarify it, but it seems likely to encourage a little bit of implementation confusion at least (IDN is confusing enough). The native unit of DNS is the label. It's simplest to use one redaction symbol for one label. > AFAICT, matching =1 character seem marginally more consistent with other > uses of "?" as a wildcard character: > http://en.wikipedia.org/wiki/Wildcard_character > "In Unix-like and DOS operating systems, the question mark ("?") matches > exactly one character;" > "In Microsoft Access, wildcard characters can be used in "LIKE" > expressions; the asterisk sign (*) matches zero or more characters, and > the question mark (?) matches a single character." If we follow this reasoning, then the better response is to choose a different redaction mark, not to make the redaction mark be per-character. if we don't like ?, and we don't want to use * because of the overlap with current wildcard practice, then we should choose something else outside the range of the acceptable characters for DNS. We could use '%' (thanks, SQL!) or '~' or '!' or '#' or '^' or '|' if we're looking for single-character replacements. I'm personally fine with '?' to mean "matches a single redacted label", though. I'd recommend against '_' because even though it is not a valid character for a hostname, it is a valid DNS label that is used for things like SRV records (e.g. _foo._tcp.example.net), and SRVName SubjectAltName entries could include an '_'. --dkg
signature.asc
Description: PGP signature
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
