IETF Logo Mail Archive

Re: [dane] Draft for serializing DNSSEC chains

Martin Rex <mrex@sap.com> Thu, 07 July 2011 21:44 UTC

Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FF949E8017 for <dane@ietfa.amsl.com>; Thu, 7 Jul 2011 14:44:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.201
X-Spam-Level:
X-Spam-Status: No, score=-10.201 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rS1HLJifQDO3 for <dane@ietfa.amsl.com>; Thu, 7 Jul 2011 14:44:01 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id DB2F621F8512 for <dane@ietf.org>; Thu, 7 Jul 2011 14:44:00 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p67Lhxru006402 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 7 Jul 2011 23:43:59 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201107072143.p67Lhwjk021117@fs4113.wdf.sap.corp>
To: eosterweil@verisign.com
Date: Thu, 07 Jul 2011 23:43:58 +0200
In-Reply-To: <4E1618C7.7060908@verisign.com> from "Eric Osterweil" at Jul 7, 11 04:36:23 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: dane@ietf.org
Subject: Re: [dane] Draft for serializing DNSSEC chains
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2011 21:44:01 -0000

Eric Osterweil wrote:
> 
> >
> > AFAIK, the original TLS extension was a single OCSP response, and then
> > all CAs added intermediate certs so that a single OCSP response was
> > no longer sufficient to validate a server certificate.
> >
> > The proposal for a new TLS extension to carry more than a single
> > OCSP reponse is still an internet draft:
> > https://datatracker.ietf.org/doc/draft-pettersen-tls-ext-multiple-ocsp/
> >
> 
> Yes, but are you aware of the _operational_ problems?  Is the 
> distinction between design complexity and operational complexity not 
> clear?  If so, is anyone else on the list concerned?

I do not see any (additional) operational problems.

The server is *ALWAYS* in a better position to obtain OCSP responses
for his own server cert and cache it, and the same goes for DANE records.

So from the operational standpoint, using a TLS extension to
convey the information significantly facilitates the communication
with the _correct_ server.  It doesn't help when talking to an
attempted imposter.


> 
> >
> > The security design of DANE does not have a dependency on the transport
> > that is used to convey the signed DNS records.  Neither does OCSP and 
> > CRLs.
>
> Actually, it very much does.  If operational issues open attack vectors 
> (which they will in this case), then I think the security design (by 
> definition) has a dependency.  Is the vector still unclear?

Nope, it does not.

The only things in dane that is security-relevant during verification
is the signed records and the the RRSIG lifetimes.  The transport
as well as all TTLs are completely irrelevant.


-Martin

v2.23.0 | Report a Bug | By Email