IETF Logo Mail Archive

Re: [dane] RPK use-case high level problem statement

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 06 June 2014 02:37 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66EF81A03D9 for <dane@ietfa.amsl.com>; Thu, 5 Jun 2014 19:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uz4wF6jdLGnw for <dane@ietfa.amsl.com>; Thu, 5 Jun 2014 19:37:26 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B942E1A0435 for <dane@ietf.org>; Thu, 5 Jun 2014 19:37:25 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EC2292AAB4F; Fri, 6 Jun 2014 02:37:18 +0000 (UTC)
Date: Fri, 06 Jun 2014 02:37:18 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140606023718.GU27883@mournblade.imrryr.org>
References: <20140605235915.GR27883@mournblade.imrryr.org> <201406060213.s562DOBT022813@new.toad.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201406060213.s562DOBT022813@new.toad.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/0mYcaaKlPhw3qO6HqHhusAdc-tY
Subject: Re: [dane] RPK use-case high level problem statement
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jun 2014 02:37:29 -0000

On Thu, Jun 05, 2014 at 07:13:24PM -0700, John Gilmore wrote:

> >     3. Some subset of servers will have TLSA RRsets during transition
> >        states, not currently defined as "misconfigured", such that
> >        X.509 DANE TLSA authentication works, but RPK DANE TLSA
> >        authentication fails, because the RPK-compatible TLSA RRs
> >        match only past or future keys.
> 
> I do not agree with this and am still awaiting a communication from
> you about why you think this will occur.  Normally, key transitions
> are done by moving from publishing "current" keys, to "current/future"
> keys by adding the future keys.  Those then become "past/current" keys
> when the server's key itself changes, and then are moved to "current"
> keys by dropping the past keys.

Done under separate cover.  Some key rotation scenarios involve
changes from TA issued keys to self-issued keys or the converse.

Or sometimes even simply a change from "3 0 1" with old keys to
a deliberate "3 1 1" with new keys (to make them RPK compatible).


> At no point do the TLSA records in a key rollover include only
> "past/future" keys.  TLS would fail if they did so.

The total set of TLSA RRs indeed always contains present keys when
the server is not misconfigured.  But there is (today) no guarantee
that the "3 1 X" subset of the TLSA RRset contains any present
keys.  I am proposing to document this issue.  We've not yet agreed
on who's responsible for the work-around (client, server, both).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email