Issues in Identifier Comparison for Security Purposes
RFC 6943
|
| Document |
Type |
|
RFC - Informational
(May 2013; No errata)
|
|
Last updated |
|
2013-05-09
|
|
Stream |
|
IAB
|
|
Formats |
|
plain text
pdf
html
bibtex
|
| Stream |
IAB state
|
|
Published RFC
|
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
Internet Architecture Board (IAB) D. Thaler, Ed.
Request for Comments: 6943 Microsoft
Category: Informational May 2013
ISSN: 2070-1721
Issues in Identifier Comparison for Security Purposes
Abstract
Identifiers such as hostnames, URIs, IP addresses, and email
addresses are often used in security contexts to identify security
principals and resources. In such contexts, an identifier presented
via some protocol is often compared using some policy to make
security decisions such as whether the security principal may access
the resource, what level of authentication or encryption is required,
etc. If the parties involved in a security decision use different
algorithms to compare identifiers, then failure scenarios ranging
from denial of service to elevation of privilege can result. This
document provides a discussion of these issues that designers should
consider when defining identifiers and protocols, and when
constructing architectures that use multiple protocols.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Architecture Board (IAB)
and represents information that the IAB has deemed valuable to
provide for permanent record. It represents the consensus of the
Internet Architecture Board (IAB). Documents approved for
publication by the IAB are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6943.
Thaler Informational [Page 1]
RFC 6943 Identifier Comparison May 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction ....................................................3
1.1. Classes of Identifiers .....................................5
1.2. Canonicalization ...........................................5
2. Identifier Use in Security Policies and Decisions ...............6
2.1. False Positives and Negatives ..............................7
2.2. Hypothetical Example .......................................8
3. Comparison Issues with Common Identifiers .......................9
3.1. Hostnames ..................................................9
3.1.1. IPv4 Literals ......................................11
3.1.2. IPv6 Literals ......................................12
3.1.3. Internationalization ...............................13
3.1.4. Resolution for Comparison ..........................14
3.2. Port Numbers and Service Names ............................14
3.3. URIs ......................................................15
3.3.1. Scheme Component ...................................16
3.3.2. Authority Component ................................16
3.3.3. Path Component .....................................17
3.3.4. Query Component ....................................17
3.3.5. Fragment Component .................................17
3.3.6. Resolution for Comparison ..........................18
3.4. Email Address-Like Identifiers ............................18
4. General Issues .................................................19
4.1. Conflation ................................................19
4.2. Internationalization ......................................20
4.3. Scope .....................................................21
4.4. Temporality ...............................................21
5. Security Considerations ........................................22
6. Acknowledgements ...............................................22
7. IAB Members at the Time of Approval ............................23
8. Informative References .........................................23
Thaler Informational [Page 2]
RFC 6943 Identifier Comparison May 2013
1. Introduction
In computing and the Internet, various types of "identifiers" are
used to identify humans, devices, content, etc. This document
provides a discussion of some security issues that designers should
Show full document text