IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Paul Wouters <paul@cypherpunks.ca> Tue, 08 May 2012 19:47 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B52A9E8007 for <dane@ietfa.amsl.com>; Tue, 8 May 2012 12:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id anXzOGbYnZY0 for <dane@ietfa.amsl.com>; Tue, 8 May 2012 12:47:11 -0700 (PDT)
Received: from letoams.cypherpunks.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id BEBE29E8006 for <dane@ietf.org>; Tue, 8 May 2012 12:47:11 -0700 (PDT)
Received: by letoams.cypherpunks.ca (Postfix, from userid 500) id 8432F853FC; Tue, 8 May 2012 15:47:10 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by letoams.cypherpunks.ca (Postfix) with ESMTP id 793898032E; Tue, 8 May 2012 15:47:10 -0400 (EDT)
Date: Tue, 8 May 2012 15:47:10 -0400 (EDT)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Andrew Sullivan <ajs@anvilwalrusden.com>
In-Reply-To: <20120508155300.GJ10226@mail.yitter.info>
Message-ID: <alpine.LFD.2.02.1205081538220.14847@bofh.nohats.ca>
References: <20120504165512.GC7394@mail.yitter.info> <CABcZeBO4zRSa=JexqZ8uw7o26tM4SZk2GDivTAWD5ZF1pZR9Og@mail.gmail.com> <20120504194132.GF7394@mail.yitter.info> <alpine.LFD.2.02.1205041553030.7798@bofh.nohats.ca> <AD11709E-F662-492E-BE3B-23ADD82536F0@icsi.berkeley.edu> <C8A32DF2-E912-4D53-B0E3-D79852632A3E@kumari.net> <C8244A46-63BD-4903-B72C-6AB43413FB61@ICSI.Berkeley.EDU> <DEED37B2-216E-44DA-8EDC-8E4271BDCBD5@vpnc.org> <A6208FF0-4544-470C-BBBD-5C4E328C6EC4@ICSI.Berkeley.EDU> <201205072316.q47NGbcF013098@new.toad.com> <20120508155300.GJ10226@mail.yitter.info>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 19:47:12 -0000

On Tue, 8 May 2012, Andrew Sullivan wrote:

> On Mon, May 07, 2012 at 04:16:37PM -0700, John Gilmore wrote:
>> I think that if the DANE TLS implementation can't get either a
>> dnssec-validated TLSA rrset, or a dnssec-validated absence of a TLSA
>> rrset, then to meet its security responsibilities, it has to fail to
>> connect.
>
> This is a strong statement, and is perhaps what ekr was asking for
> too.  It's that "fail to connect" that bugs me.  For it means that, if
> a client is TLSA-aware and it happens to find itself in some sort of
> environment in which TLSA records don't work, or DNSSEC records don't
> work, or both, there is exactly one thing it can do: foil all TLS
> connection attempts.

We really have no other choice. Your mother did not tell you when you
were young "Always lock the door if you are the last one leaving the
house, except when you think someone else might arrive home first, in
which case put the key under the door mat". She just said "always lock
the door" and you left the key under the mat sometimes anyway.

> Just to be clear, what that does it cause the user to turn the browser
> into a TLSA-unaware client.  If I had to bet, I'd bet that it will
> persist and that it will itself become a barrier to operation.
>
> It feels to me like this discussion lies right on the barrier of
> "protocol" and "local policy", and that may be the reason it appears
> to be intractable.  On the one hand, I can't believe anyone wants a
> requirement that actually increases the chances people will make
> connections without TLS, by making TLS impossible in some networks
> where it sort of works today.  On the other hand, I understand (and
> agree with) the analysis pointing out the attack available if a
> complete non-response causes fall-through to traditional TLS
> processing.  I'm wondering whether implementation or deployment advice
> (perhaps in another document) is something that's not just nice to
> have, but needed.

Let's leave those decisions to the browser vendors. They've gone through
this before and will go through this again. Ultimately, the biggest real
use-case is the hotspot case, and currently, it is mostly the browser
that detects this first. That has to change, and once the OS detects
this first, it can provide hints to the browser, and ultimately, even
have the browser start a sandboxed sign-on window to authenticate and
allow contained spoofed DNS before opening up the entire machine to DNS
and port HTTP(S). If networks are still DNSSEC broken after
authentication, and they are blocking port 53 and they are blocking fall
back resolvers over port 80 and/or 443, then really, what else is there
to do then hard fail?

Paul

v2.8.7 | Report a Bug | By Email