Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
Paul Wouters <paul@nohats.ca> Thu, 05 June 2014 18:56 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAE121A0247 for <dane@ietfa.amsl.com>; Thu, 5 Jun 2014 11:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xU68V-5mtDzt for <dane@ietfa.amsl.com>; Thu, 5 Jun 2014 11:56:27 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 046791A0163 for <dane@ietf.org>; Thu, 5 Jun 2014 11:56:27 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id F1985800C9 for <dane@ietf.org>; Thu, 5 Jun 2014 14:56:19 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1401994580; bh=uJDO+Fr/Cgi8mNNMcsX2Y9O5F2+ydz2aVvxYPcg96s8=; h=Date:From:To:Subject:In-Reply-To:References; b=XgLkL4gH4Ix0jlttY/6Ja9rZvpEZfmPw7cDI5IrwjWNuRWuvZzZeNhbUx1llwkNfV PWAwWd+XgnB0oftFnk2OaqSK6lVNCgIyyfqaNCJaz96aZkTVgx2dMzh0ite6KJb/13 dkni3YMWQQYioqFSQo4NFgL8HCLYftUDW3od6vkU=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s55IuJnF008258 for <dane@ietf.org>; Thu, 5 Jun 2014 14:56:19 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Thu, 05 Jun 2014 14:56:19 -0400
From: Paul Wouters <paul@nohats.ca>
To: dane@ietf.org
In-Reply-To: <20140605182415.GM27883@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.10.1406051440130.6520@bofh.nohats.ca>
References: <538C86C7.8000805@cs.tcd.ie> <20140602145215.GP27883@mournblade.imrryr.org> <20140602172922.GS27883@mournblade.imrryr.org> <alpine.LFD.2.10.1406030056500.19868@bofh.nohats.ca> <20140603130839.GY27883@mournblade.imrryr.org> <m3ppip5s57.fsf@carbon.jhcloos.org> <20140604025535.GJ27883@mournblade.imrryr.org> <4e941a7fe4be00884d43cf848b30bec228883452@8b5064a13e22126c1b9329f0dc35b8915774b7c3.invalid> <20140605151145.GA27883@mournblade.imrryr.org> <alpine.LFD.2.10.1406051331300.19039@bofh.nohats.ca> <20140605182415.GM27883@mournblade.imrryr.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/JOBteQ9B3m42IMrWtueApbxwStQ
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 18:56:29 -0000
On Thu, 5 Jun 2014, Viktor Dukhovni wrote: > No it is not. Look at the verification logic in the appendix that > loops over all the records. There is no expectation that every > TLSA RR reflects current reality, nor can there be. All that's > required is that *at least one* TLSA record matches the server > chain. Right. Which is why you can have mixes of types/selectors/usage. > Because there is nothing in any DANE document that encourages, let > alone obligates the server to ensure the necessary invariants. > Left to their devices server operators will publish the problematic > RRsets (which cause no obvious problems without "oob"). TLSA records are not TLS client remote configuration records. I think it is a bad idea to allow a TLSA record to modify TLS client behaviour for TLS extensions. TLSA is to authenticate, not to configure. > Suppose the goal is to switch a TA-issued cert (previous self-signed) > and publish a DANE-EE(2) association, from a current "3 1 1" leaf > cert. This can't be done while preserving the stated invariant > without a non-obvious intermideate stage in the DNS keys, because > the self-signed initial cert has no TA. > > Initial: > > IN TLSA 3 1 1 {legacy EE blob} > > Intermediate: > > IN TLSA 3 1 1 {legacy EE blob} > IN TLSA 3 1 1 {EE association for new TA issued chain} > > [switch keys] > > Final: > > IN TLSA 2 0 1 {TA cert blob matching new chain} Why can't I do: Initial: IN TLSA 3 1 1 {legacy EE blob} Intermediate: IN TLSA 3 1 1 {legacy EE blob} IN TLSA 2 0 1 {TA cert blob matching new chain} [switch keys] Final: IN TLSA 2 0 1 {TA cert blob matching new chain} The only requirement is to ensure old TLSA RRsets without the new TLSA record do not live anywhere in cache anywhere when the new TLS cert/key/chain is deployed on the server. > Most operators who publish "3 1 X" will publish *ONLY* "3 1 X" and > my oh-so-subtle comments won't apply. The deployment of "oob" will > not be in any way reduced. By making it safer to deploy "oob" (not > causing unnecessary outages) I am on your side. Most operators who want to get rid of X.509 containers and uselessly expiring X.509 certificates (Like Yahoo yesterday?) and wanting to deploy oob will first use a DANE-EE SPKI on a full cert, and do any kind of CA/TA based matching anyway? >> Restricting the TLSA RRset or pro-actively dropping the oob extension >> based on a mixture of TLSA U/S/M records is undesirable, and your >> justification of "the admin might make an erorr" is an extremely weak >> reason for it. > > And yet you're simply wrong about that. Somewhere, either the > client or the server or both need to do some non-obvious things > (that I plan to write down) I have no problem writing down the non-obvious. I just disagree with your proposed TLS client behaviour. I think we both understand each other's viewpoint. It's time for others to chime in. Paul
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Hoffman
- [dane] Extending TLSA RFC to operate with TLS's n… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Wes Hardaker
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Jim Schaad
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Tom Gindin
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Stephen Farrell
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Olafur Gudmundsson
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Stephen Farrell
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Simon Arlott
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- [dane] Extending TLSA RFC to operate with TLS's n… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni