IETF Logo Mail Archive

Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 02 June 2014 21:14 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFFAC1A03EC for <dane@ietfa.amsl.com>; Mon, 2 Jun 2014 14:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fALSR480xoe4 for <dane@ietfa.amsl.com>; Mon, 2 Jun 2014 14:14:01 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B2DB1A03DF for <dane@ietf.org>; Mon, 2 Jun 2014 14:14:01 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B31672AAFFC; Mon, 2 Jun 2014 21:13:54 +0000 (UTC)
Date: Mon, 02 Jun 2014 21:13:54 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140602211354.GU27883@mournblade.imrryr.org>
References: <201405290805.s4T85HBT008757@new.toad.com> <76254E90-245A-4502-AFBE-74A3038BB08F@vpnc.org> <OFB1999EAD.836E27A5-ON85257CE8.0067D557-85257CEB.000B5F5E@us.ibm.com> <20140602022733.GK27883@mournblade.imrryr.org> <538C86C7.8000805@cs.tcd.ie> <20140602145215.GP27883@mournblade.imrryr.org> <20140602172922.GS27883@mournblade.imrryr.org> <201406022041.s52KfuBT026606@new.toad.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201406022041.s52KfuBT026606@new.toad.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/2hdyWCAL2sul-rOBA7Dl5MdVhmA
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2014 21:14:03 -0000

On Mon, Jun 02, 2014 at 01:41:56PM -0700, John Gilmore wrote:

> TLS servers that offer raw public keys should not restrict their TLSA
> records to only those that match raw public keys.

There are no such records.  Records of the form "3 1 X" also match
leaf certificates.

> It harms interoperability, and it dents the
> general applicability strategy of TLSA records, which is that clients
> look through the set of returned TLSA records for the one(s) that are
> relevant to their current negotiation.

This is not compatible with key rotation or other transitions
between past/present/future TLSA records which result in a subset
of the TLSA records being "active" (matching the server's actual
keys) and another subset being "inactive" (matching either past or
future keys).

Clients MUST be willing to process all TLSA records, or else should
not expect DANE authentication to work.

> Raw public key support is *negotiated* by the TLS server.  In the
> general case, it will likely offer both raw public keys and PKIX
> certificates, and the client will choose which option it likes.

That's fine "3 1 X" records are compatible with both, but the
presence of records with any other known certificate usage or "3
0 X" records (with the possible exception of X == 0) needs to
suppress client use of oob public keys when the client's "oob"
authentication strategy is DANE.

> So
> that the transaction can complete authentication regardless of which
> option the client chooses, the server's domain name zone should be
> free to publish TLSA records that match raw public keys, TLSA records
> that match PKIX certificates, or both.

That's what "3 1 X" records do.  Other records only work with PKIX,
and since these may be the only "active" ones (the mythical
[Rationale] in short form) the client should assume the worst and
not negotiate its way into a dead-end whereby authentication fails.

> The TLS server itself should always be free to offer any kind of
> authentication that it supports.

Yep, that's fine.

> I do not understand the reference to SNI.  Why is there any greater
> need to send an SNI option than in any other TLS negotiation?  Is
> there something to say here that wasn't already said in RFC 3546 or
> RFC 6066?  e.g. RFC 3546 page 10:

Some mention of interaction with SNI is perhaps redundant, but IMHO
useful.  Mentioned only because some might think that SNI is only
for certificates and is obviated by "oob" keys, but it is not.


> >     Clients MAY also elect to treat records with usage DANE-EE(3),
> >     selector Cert(0) and matching type Full(0) as compatible,
> >     provided they are willing and able to extract the public key
> >     from such a TLSA record for comparison with the server's bare
> >     out of band public key.
> 
> I think this is a bad idea.  If the TLS server offers a raw public
> key, it

["it" is the client here]

> should not try to authenticate it via a TLSA record that
> contains a PKIX certificate.  The intent of raw public keys is to
> allow simpler (need I say easier to debug and more secure) clients
> that don't need to parse, let alone validate, a PKIX certificate.
> This just complicates clients for no gain in interoperability.

Clients MAY decide whether they are willing to transform "3 0 0"
into the contained "3 1 0".  If the WG feel that contrary to the
observation by James Cloose this is a bad idea, I am not particularly
fixated on this corner case.  However, if clients don't map "3 0 0"
to "3 1 0", then the presence of "3 0 0" in the TLSA RRset should
also suppress use of "oob" keys.

> There is no gain in interoperability [...]

Indeed, it is only a gain in opportunities to use the oob extension,
and thereby make the TLS handshake smaller.

> If the point is that the Server Name Indication option sent by the
> client might affect the offered key, that's a point.  But the same is
> even more true of the offered PKIX certificate in traditional TLS, so
> if we feel the need to say this, why aren't we already saying it about
> PKIX certificates?

We are already stating that DANE clients need to use SNI in other
contexts.  I just carried this over to "oob" keys too.  The
observation is inessential if it is considered obvious/redundant.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email