[cabf_validation] Ambiguous grammar for parameters in RFC 6844 (CAA)

Corey Bonnell CBonnell at trustwave.com
Fri Dec 15 13:17:17 MST 2017


Hi Tim,
Unfortunately, I think the original intent is a bit unclear, as section 3 (https://tools.ietf.org/html/rfc6844#section-3) has the syntax listed as such:
issue <Issuer Domain Name> [; <name>=<value> ]*

In other words, section 3 indicates that parameters are delimited using semicolons (and not whitespace, as section 5.2 would indicate if it had an unambiguous grammar ☺). There was an erratum (errata #5200) submitted last week for this inconsistency between section 3 and 5.2: https://www.rfc-editor.org/errata/eid5200

Given this inconsistency, I think it would be valuable to discuss how we will rectify the difference in syntax as defined in section 3 and 5.2 in addition to shoring up the grammar in section 5.2.

Thanks,
Corey

From: Tim Hollebeek <tim.hollebeek at digicert.com>
Date: Friday, December 15, 2017 at 2:44 PM
To: Corey Bonnell <CBonnell at trustwave.com>, CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: RE: Ambiguous grammar for parameters in RFC 6844 (CAA)

Thanks Corey.  I noticed this flaw as well 😊  On a recent public call, we decided to handle issues CAs are having with CAA under the validation group, so you’re in the right place!

The good news is I think this is another case where the original intent is obvious, even if the grammar is written incorrectly.  I would suggest that any CAs implementing this follow the “1 or more spaces” interpretation to avoid confusion.  We can discuss that on the next validation call, and if everyone agrees about that, we start discussing filing an errata with the IETF folks.

Also note that there may *never* be a date when CAs are required to support this proposal.  It will work fine as a completely voluntary initiative that CAs can join as their schedule allows.  This is more of a standardization for the purpose of interoperability and avoiding confusion, than it is a security requirements thing.

-Tim

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Corey Bonnell via Validation
Sent: Friday, December 15, 2017 9:10 AM
To: validation at cabforum.org
Subject: [cabf_validation] Ambiguous grammar for parameters in RFC 6844 (CAA)

In order to prepare for reading Tim’s proposal on CAA parameters, I took a further look into the grammar of parameters in issue/issuewild records as defined in section 5.2 of RFC 6844 (https://tools.ietf.org/html/rfc6844#section-5.2)<https://scanmail.trustwave.com/?c=4062&d=paa02p-PyakvH_LnJNRzeAR-40CdD2jvuZUpVJO7jg&s=5&u=https%3a%2f%2fclicktime%2esymantec%2ecom%2fa%2f1%2f95vPz9%5fSVynPDM1iZ9QEuaqw1EzVxnVsyTpOGNyvspY%3d%3fd%3dK1j9YZml8BQsMIPQKm65pnv6Th4Fv-NDQFZBYbeRv3j4esjzlFYQ4eJ4hD4O28jd7tjVazOx5YbP-BcPLYWfeptu7YaCXRCTTW0FHgwIuSGjE58UxzXJLAKAGx4aM8DUXITiVI4usbzCzxRfI2bDB2hxnTGQ5H-KphtIacv5APdSC9eoM9znOD8p-1tg8xxiH5GlC-sP0Wt%5fy9U2enviPm%5f7BZQ2Jok8eTv6KP9i501FuzuaNwNtS0N4mTit32%5fY1BFRlN9jI7RAW59ozBi-9B1CQlkYjwjTLwb%5fWhZwl0ZOui7RMp7CkwDLEqaw0JcrTtxAIJHqzxeFOJnYtvWcD0mtY5OpBYAgoLSDy2xR7VPl%5fmaABfSmoTxrFL5lVO-GxQcaomGNbcqtdZFN%5fN8YQlfRGBIRZepKBrS5GSjHo7F7LYF5yeh%5fRt1PiS4%253D%26u%3dhttps%253A%252F%252Ftools%2eietf%2eorg%252Fhtml%252Frfc6844%2523section-5%2e2%2529> and realized that the ABNF grammar is ambiguous. Specifically, the ABNF grammar as written does not require that parameter tag/value pairs be delimited by whitespace, which can lead to ambiguous parses of parameters.

Here are the relevant production rules from section 5.2:
issuevalue = space [domain] space [";" *(space parameter) space]
space = *(SP / HTAB)
parameter = tag "=" value
tag = 1*(ALPHA / DIGIT)
value = *VCHAR

The salient piece here is that the “space” production rule is defined as a sequence of *zero* or more space or horizontal tab characters, which means that multiple parameters can be delimited by 0 space characters (in other words, they’re not delimited at all). Since the character “=” is a VCHAR, this can lead to ambiguous parses of parameter strings such as “a=bc=d” (is that one parameter with a tag of “a” and a value of “bc=d”, or is it two parameters with a tag of “a” and a value of “b” and a tag of “c” and a value of “d”?). As a practical example using the proposed parameters in Tim’s proposal, the parameters string “validation=Phonetype=EV” (which is very possible if the customer accidentally omits the space between “Phone” and “type”) would parse to either a parameter tag of “validation” and a value of “Phonetype=EV”, or it would parse to parameter tag of “validation” with a value of “P” and a parameter tag of “honetype” with a value of “EV”.


A quick fix for this ambiguity is to redefine the “issuevalue” and “space” production rules such that at least 1 space character is required between parameters (there probably is a more elegant way to express this, but here’s the general idea):
issuevalue = [space] [domain] [space] [";" [space] [parameters] [space]]
space = 1*(SP / HTAB)
parameters = (parameter space parameters) / parameter

I believe it’s important that this ambiguity be resolved before CAs are required to honor various CAA parameters. Otherwise, there will be much confusion when CAs have different (but equally valid) interpretations of the same CAA record’s parameters.

Since there is no “formal” CAA working group, I’m not sure if we want to present this finding to the LAMPS WG so that the appropriate changes can be made to RFC 6844-bis, or if we want to handle this in another manner.

Thanks,
Corey

Corey Bonnell
Senior Software Engineer

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<https://scanmail.trustwave.com/?c=4062&d=paa02p-PyakvH_LnJNRzeAR-40CdD2jvuZR_BMW1jw&s=5&u=https%3a%2f%2fclicktime%2esymantec%2ecom%2fa%2f1%2fC3IVN-YE91aNgPOVWuNyleidD9MZfHJYOZq4Gb6ceSo%3d%3fd%3dK1j9YZml8BQsMIPQKm65pnv6Th4Fv-NDQFZBYbeRv3j4esjzlFYQ4eJ4hD4O28jd7tjVazOx5YbP-BcPLYWfeptu7YaCXRCTTW0FHgwIuSGjE58UxzXJLAKAGx4aM8DUXITiVI4usbzCzxRfI2bDB2hxnTGQ5H-KphtIacv5APdSC9eoM9znOD8p-1tg8xxiH5GlC-sP0Wt%5fy9U2enviPm%5f7BZQ2Jok8eTv6KP9i501FuzuaNwNtS0N4mTit32%5fY1BFRlN9jI7RAW59ozBi-9B1CQlkYjwjTLwb%5fWhZwl0ZOui7RMp7CkwDLEqaw0JcrTtxAIJHqzxeFOJnYtvWcD0mtY5OpBYAgoLSDy2xR7VPl%5fmaABfSmoTxrFL5lVO-GxQcaomGNbcqtdZFN%5fN8YQlfRGBIRZepKBrS5GSjHo7F7LYF5yeh%5fRt1PiS4%253D%26u%3dhttp%253A%252F%252Fwww%2etrustwave%2ecom%252F>

2017 Best Managed Security Service Winner – SC Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20171215/c0baa1c9/attachment-0001.html>


More information about the Validation mailing list