Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 04 June 2014 12:59 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6A321A01D2 for <dane@ietfa.amsl.com>; Wed, 4 Jun 2014 05:59:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IVL9DS9vSU-Y for <dane@ietfa.amsl.com>; Wed, 4 Jun 2014 05:58:59 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 3AEBA1A01D5 for <dane@ietf.org>; Wed, 4 Jun 2014 05:58:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id AC7B5BF43; Wed, 4 Jun 2014 13:58:52 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVcq76s1eo9H; Wed, 4 Jun 2014 13:58:49 +0100 (IST)
Received: from [10.43.50.173] (unknown [193.190.253.145]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EB538BF42; Wed, 4 Jun 2014 13:58:48 +0100 (IST)
Message-ID: <538F180A.40906@cs.tcd.ie>
Date: Wed, 04 Jun 2014 13:58:50 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Olafur Gudmundsson <ogud@ogud.com>, John Gilmore <gnu@toad.com>
References: <201405290805.s4T85HBT008757@new.toad.com> <08E92113-6C1F-4BD3-8846-4B117FA1AC1E@ogud.com>
In-Reply-To: <08E92113-6C1F-4BD3-8846-4B117FA1AC1E@ogud.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/FAT6JSzEc73BRldXSPMGdac1Jes
Cc: dane@ietf.org
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2014 12:59:01 -0000
Thanks Olafur, Now that the DANE WG are going to address this issue, I think that means that John can send his approval for auth-48 for oob and we can move it forward. Cheers, S. On 04/06/14 03:19, Olafur Gudmundsson wrote: > > John, > Sorry for the top posting of our main arguments. > RFC7250 has shipped, please do not hold up the publication. > We need a quick turnaround to address the issues you identified below. > > As Wes Hardaker commented in a later message we have an “Dane uses and fixes” document in the > queue and adding this to it is appropriate. (dane-ops) > <more comments inline plan at the bottom> > > On May 29, 2014, at 4:05 AM, John Gilmore <gnu@toad.com> wrote: > >> The TLS Working Group is in the final stages of approving RFC 7250, >> "Using Raw Public Keys in TLS/DTLS": >> >> https://www.rfc-editor.org/authors/rfc7250.txt >> >> The draft modifies the TLS protocol to allow clients and servers to >> negotiate and exchange types of authentication material other than >> PKIX certificate chains, and defines a format for exchanging a raw >> public key. These public keys are authenticated "out of band", >> outside the TLS protocol, for example by prior administration (in some >> Internet-of-Things cases), or by the use of DANE. Paul Wouters was >> the main author, and the protocol and document were significantly >> improved by several co-authors from the TLS WG. >> >> In reviewing the draft, I noticed that it doesn't ever describe how >> you store such a public key in a TLSA record. And the TLSA RFC 6698 >> explicitly specifies that TLSA records can ONLY store PKIX >> certificates! The relevant sections are: >> >> RFC 6698 Sec. 1.3: >> >> This document only applies to PKIX [RFC5280] certificates, not >> certificates of other formats. > > This is a major change and specifying how to do other certificate types > should go through the normal standards process. > DANE WG is happy to take that on, and this should be processed before we go on to DANE-bis document. > >> >> RFC 6698 Sec. 2.1.1: >> >> The certificate usages defined in this document explicitly only apply >> to PKIX-formatted certificates in DER encoding [X.690]. If TLS >> allows other formats later, or if extensions to this RRtype are made >> that accept other formats for certificates, those certificates will >> need their own certificate usage values. >> >> I remember fighting this fight in the DANE WG, and the result was >> something along the lines of "We'll narrow the RFC now, and then >> if-and-when raw public keys are approved by the TLS WG, then we'll >> amend it to include them." Well, the time has come. Raw public keys >> are approved by the TLS WG. The trouble is that nobody has bothered >> to amend the TLSA RFC, so the new draft RFC tells people "just use >> DANE", but the DANE TLSA RFC says, "No you can't”. > > Lets fix this, based on experience! > >> >> I propose to add some text to the draft RFC 7250 that extends RFC 6698 >> by defining how raw public keys are stored in TLSA records. > > In the chairs opinion that is a bad idea. > >> >> My coauthors seem to prefer that we just ignore the entire issue, >> issue RFC 7250, and ignore the conflict between the two. As someone >> who learned most of what I know about protocols (and the Internet) >> from reading Saint Jon Postel's clearly written RFCs, I would hate to >> inflict that on future readers. We should not release documents that >> contain deliberate incompatabilities. > > We wish that this had been detected sooner and a corresponding document was in > the publication queue, we are willing to commit to get this fix ASAP. > >> >> We think RFC 7250 is ready to go except for this remaining issue. It >> has been approved by the TLS WG, the IESG, the RFC Editor, and all the >> co-authors but me. >> >> Here's my proposed wording change for RFC 7520. Improvements welcome. >> Start from this version: >> >> https://www.rfc-editor.org/authors/rfc7250.txt >> >> Section 4.4. >> OLD (entire section): >> When the TLS server has specified RawPublicKey as the >> server_certificate_type, authentication of the TLS server to the TLS >> client is supported only through authentication of the received >> client SubjectPublicKeyInfo via an out-of-band method. >> >> NEW (entire section): >> When the TLS server has specified RawPublicKey as the >> server_certificate_type, authentication of the TLS server to the TLS >> client is supported only through authentication of the received >> client SubjectPublicKeyInfo via an out-of-band method. >> >> In order to support out-of-band authentication via DANE [RFC6698], >> this document extends the DANE TLSA record definition to allow such >> records to describe raw public keys as well as PKIX [RFC5280] >> certificates. This extension does not define any new field values; >> it merely defines how existing fields are processed when being >> matched to raw public keys provided by TLS servers. >> >> A raw public key is represented in a TLSA record by specifying a >> certificate usage of 3 (domain-provided), a selector of 1 >> (SubjectPublicKeyInfo), and a matching type of 0. The >> SubjectPublicKeyInfo that holds the public key is placed in the >> certificate association data. Matching types other than 0 may also >> be used, by placing the corresponding hash value into the >> certificate association data. >> >> DANE [RFC6698] section 1.3 is extended to say: >> >> This document only applies to raw public keys and to PKIX >> [RFC5280] certificates, not certificates of other formats. >> >> DANE section 2.1.1 is extended to say: >> >> The certificate usages 0, 1 and 2 defined in this document >> explicitly only apply to PKIX-formatted certificates in DER >> encoding [X.690]. If TLS allows other formats later, or if >> extensions to this RRtype are made that accept other formats for >> certificates, those certificates will need their own certificate >> usage values. >> >> In DANE section 2.1.1, in addition to the definition of certificate >> usage 3 with TLS servers that use PKIX certificates, certificate >> usage 3 may also be used with TLS servers that use raw public keys: >> >> 3 -- Certificate usage 3 is also used to specify a raw public key >> that MUST match the raw public key presented by the server in >> TLS. When the TLS server provides a raw public key, there is no >> PKIX certificate and no PKIX validation is done; the TLS >> server's raw public key MUST match the raw public key provided in >> the TLSA record. This certificate usage is sometimes referred >> to as "domain-issued" because it allows a domain administrator >> to directly certify a domain's public keys. >> >> I believe that this wording reflects the up-to-now tacit consensus on >> how the DANE WG expects TLS raw public keys to be represented and >> processed in TLSA records. In the absence of significant dissent or >> further improvements, I propose to provide the above updates to the >> RFC Editor and release the new RFC. >> >> John > > We think this text is a good starting point, for the OPS document that will update RFC6698 > > The plan we propose is publish RFC7250 and push the fix out no later than right after the > IETF meeting in Toronto. > > Olafur & Warren > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane >
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Hoffman
- [dane] Extending TLSA RFC to operate with TLS's n… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Wes Hardaker
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Jim Schaad
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Tom Gindin
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Stephen Farrell
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Olafur Gudmundsson
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Stephen Farrell
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Simon Arlott
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- [dane] Extending TLSA RFC to operate with TLS's n… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni