Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 02 June 2014 21:14 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFFAC1A03EC for <dane@ietfa.amsl.com>; Mon, 2 Jun 2014 14:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fALSR480xoe4 for <dane@ietfa.amsl.com>; Mon, 2 Jun 2014 14:14:01 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B2DB1A03DF for <dane@ietf.org>; Mon, 2 Jun 2014 14:14:01 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B31672AAFFC; Mon, 2 Jun 2014 21:13:54 +0000 (UTC)
Date: Mon, 02 Jun 2014 21:13:54 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140602211354.GU27883@mournblade.imrryr.org>
References: <201405290805.s4T85HBT008757@new.toad.com> <76254E90-245A-4502-AFBE-74A3038BB08F@vpnc.org> <OFB1999EAD.836E27A5-ON85257CE8.0067D557-85257CEB.000B5F5E@us.ibm.com> <20140602022733.GK27883@mournblade.imrryr.org> <538C86C7.8000805@cs.tcd.ie> <20140602145215.GP27883@mournblade.imrryr.org> <20140602172922.GS27883@mournblade.imrryr.org> <201406022041.s52KfuBT026606@new.toad.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201406022041.s52KfuBT026606@new.toad.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/2hdyWCAL2sul-rOBA7Dl5MdVhmA
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2014 21:14:03 -0000
On Mon, Jun 02, 2014 at 01:41:56PM -0700, John Gilmore wrote: > TLS servers that offer raw public keys should not restrict their TLSA > records to only those that match raw public keys. There are no such records. Records of the form "3 1 X" also match leaf certificates. > It harms interoperability, and it dents the > general applicability strategy of TLSA records, which is that clients > look through the set of returned TLSA records for the one(s) that are > relevant to their current negotiation. This is not compatible with key rotation or other transitions between past/present/future TLSA records which result in a subset of the TLSA records being "active" (matching the server's actual keys) and another subset being "inactive" (matching either past or future keys). Clients MUST be willing to process all TLSA records, or else should not expect DANE authentication to work. > Raw public key support is *negotiated* by the TLS server. In the > general case, it will likely offer both raw public keys and PKIX > certificates, and the client will choose which option it likes. That's fine "3 1 X" records are compatible with both, but the presence of records with any other known certificate usage or "3 0 X" records (with the possible exception of X == 0) needs to suppress client use of oob public keys when the client's "oob" authentication strategy is DANE. > So > that the transaction can complete authentication regardless of which > option the client chooses, the server's domain name zone should be > free to publish TLSA records that match raw public keys, TLSA records > that match PKIX certificates, or both. That's what "3 1 X" records do. Other records only work with PKIX, and since these may be the only "active" ones (the mythical [Rationale] in short form) the client should assume the worst and not negotiate its way into a dead-end whereby authentication fails. > The TLS server itself should always be free to offer any kind of > authentication that it supports. Yep, that's fine. > I do not understand the reference to SNI. Why is there any greater > need to send an SNI option than in any other TLS negotiation? Is > there something to say here that wasn't already said in RFC 3546 or > RFC 6066? e.g. RFC 3546 page 10: Some mention of interaction with SNI is perhaps redundant, but IMHO useful. Mentioned only because some might think that SNI is only for certificates and is obviated by "oob" keys, but it is not. > > Clients MAY also elect to treat records with usage DANE-EE(3), > > selector Cert(0) and matching type Full(0) as compatible, > > provided they are willing and able to extract the public key > > from such a TLSA record for comparison with the server's bare > > out of band public key. > > I think this is a bad idea. If the TLS server offers a raw public > key, it ["it" is the client here] > should not try to authenticate it via a TLSA record that > contains a PKIX certificate. The intent of raw public keys is to > allow simpler (need I say easier to debug and more secure) clients > that don't need to parse, let alone validate, a PKIX certificate. > This just complicates clients for no gain in interoperability. Clients MAY decide whether they are willing to transform "3 0 0" into the contained "3 1 0". If the WG feel that contrary to the observation by James Cloose this is a bad idea, I am not particularly fixated on this corner case. However, if clients don't map "3 0 0" to "3 1 0", then the presence of "3 0 0" in the TLSA RRset should also suppress use of "oob" keys. > There is no gain in interoperability [...] Indeed, it is only a gain in opportunities to use the oob extension, and thereby make the TLS handshake smaller. > If the point is that the Server Name Indication option sent by the > client might affect the offered key, that's a point. But the same is > even more true of the offered PKIX certificate in traditional TLS, so > if we feel the need to say this, why aren't we already saying it about > PKIX certificates? We are already stating that DANE clients need to use SNI in other contexts. I just carried this over to "oob" keys too. The observation is inessential if it is considered obvious/redundant. -- Viktor.
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Hoffman
- [dane] Extending TLSA RFC to operate with TLS's n… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Wes Hardaker
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Jim Schaad
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Tom Gindin
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Stephen Farrell
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Olafur Gudmundsson
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Stephen Farrell
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Simon Arlott
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- [dane] Extending TLSA RFC to operate with TLS's n… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni