Thanks again, DKG. Option 2 it is then.
2. "?." matching =1 redacted label.
Do you think we should support redacting (for example)
"public.secret.example.com" to "public.?.example.com" ?
Or, to keep it simple, shall we disallow unredacted labels to the left
of a redacted label?
On 30/01/15 16:32, Daniel Kahn Gillmor wrote:
On Fri 2015-01-30 11:09:10 -0500, Rob Stradling wrote:
OK, let's discard option 1 and option 3. Before we settle on option 2,
here's an option 4 to consider...
4. "?" matching =1 character in a redacted label.
Examples:
"dkg.example.net" would be redacted as "???.example.net".
"???.example.net" cannot match "jeremy.example.net", because the label
lengths are different (i.e. 3 != 6).
However, "???.example.net" might match "rob.example.net".
"topsecret.secret.example.com" would be redacted as
"?????????.??????.example.com".
I don't think there's anything to gain from redacting the length of a
label, so I prefer option 4. Any thoughts?
Say i've got a dozen machines in my domain, all using an obscure naming
scheme that you won't be able to guess.
with option 2, i request and log a single cert for all of them, but
someone monitoring the log can't tell whether i've got a dozen services
or a single service with 11 backup certs.
My naming scheme might scatter the lengths of the names between 6 and 15
characters, perhaps into 8 different lengths for the 12 services (there
is some random overlap, and some lengths happen to not get hit).
With option 4, you now know that i have at least 8 different services
certified. furthermore, you know how many characters exactly to search
in.
Why would i want to leak this information if i'm interested in avoiding
enumeration?
I also think option 4 is currently ambiguous because of IDN:
Is the '?' one character in IDN? or one byte in UTF-8 representation of
the IDN? or one character in punycode? We can clarify it, but it seems
likely to encourage a little bit of implementation confusion at least
(IDN is confusing enough).
The native unit of DNS is the label. It's simplest to use one redaction
symbol for one label.
AFAICT, matching =1 character seem marginally more consistent with other
uses of "?" as a wildcard character:
http://en.wikipedia.org/wiki/Wildcard_character
"In Unix-like and DOS operating systems, the question mark ("?") matches
exactly one character;"
"In Microsoft Access, wildcard characters can be used in "LIKE"
expressions; the asterisk sign (*) matches zero or more characters, and
the question mark (?) matches a single character."
If we follow this reasoning, then the better response is to choose a
different redaction mark, not to make the redaction mark be
per-character. if we don't like ?, and we don't want to use * because
of the overlap with current wildcard practice, then we should choose
something else outside the range of the acceptable characters for DNS.
We could use '%' (thanks, SQL!) or '~' or '!' or '#' or '^' or '|' if
we're looking for single-character replacements.
I'm personally fine with '?' to mean "matches a single redacted label",
though.
I'd recommend against '_' because even though it is not a valid
character for a hostname, it is a valid DNS label that is used for
things like SRV records (e.g. _foo._tcp.example.net), and SRVName
SubjectAltName entries could include an '_'.
--dkg
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
