IETF Logo Mail Archive

Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys

Viktor Dukhovni <viktor1dane@dukhovni.org> Sat, 31 May 2014 02:41 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79BFB1A06E7 for <dane@ietfa.amsl.com>; Fri, 30 May 2014 19:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VChYJf75wIKM for <dane@ietfa.amsl.com>; Fri, 30 May 2014 19:41:41 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F13C1A06E5 for <dane@ietf.org>; Fri, 30 May 2014 19:41:40 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D15C92AB137; Sat, 31 May 2014 02:41:34 +0000 (UTC)
Date: Sat, 31 May 2014 02:41:34 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140531024134.GF27883@mournblade.imrryr.org>
References: <201405290805.s4T85HBT008757@new.toad.com> <20140529141626.GH27883@mournblade.imrryr.org> <047901cf7c70$973d92d0$c5b8b870$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <047901cf7c70$973d92d0$c5b8b870$@augustcellars.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/9V_ZhhDzJHUr5dphNbX3TdqqoiQ
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 May 2014 02:41:42 -0000

On Fri, May 30, 2014 at 06:35:06PM -0700, Jim Schaad wrote:

> > I think there is an obvious format, that should be spelled out explicitly in
> > some suitable document.  Namely the same format as for the SPKI of a leaf
> > certificate with any supported matching
> > type:
> > 
> >     ; Match SPKI of a certificate or just the bare public key
> >     _25._tcp.mx1.example.com IN TLSA DANE-EE(3) SPKI(1) ? {blob}
> > 
> [JLS] That may be one obvious format.  I think that an even better format
> would be to define a new TLSA certificate type so that the client will know
> that an OOB bare key is what is coming.   Thus
> 
>     ; Match SPKI of a certificate or just the bare public key
>     _25._tcp.mx1.example.com IN TLSA DANE-BARE-KEY(4) SPKI(1) ? {blob}

This I think adds no value over DANE-EE(3) and needlessly makes
server operators publish two records where one will do.

It should be possible for clients to offer the new TLS extention
when it is compatible with the server's TLSA RRs and to authenticate
the server either based on a full X.509 cert or a bare SPKI.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email