IETF Logo Mail Archive

Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 29 May 2014 14:00 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 465061A094D for <dane@ietfa.amsl.com>; Thu, 29 May 2014 07:00:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6DzqiqLXCBk for <dane@ietfa.amsl.com>; Thu, 29 May 2014 07:00:29 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAA2B1A0942 for <dane@ietf.org>; Thu, 29 May 2014 07:00:28 -0700 (PDT)
Received: from [10.20.30.90] (50-1-51-90.dsl.dynamic.fusionbroadband.com [50.1.51.90]) (authenticated bits=0) by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s4TE0Mlp090592 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 29 May 2014 07:00:24 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-51-90.dsl.dynamic.fusionbroadband.com [50.1.51.90] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <201405290805.s4T85HBT008757@new.toad.com>
Date: Thu, 29 May 2014 07:00:21 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <76254E90-245A-4502-AFBE-74A3038BB08F@vpnc.org>
References: <201405290805.s4T85HBT008757@new.toad.com>
To: John Gilmore <gnu@toad.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/KROpGvQyFSiXLjqIIKtV1zTCmBs
Cc: dane@ietf.org
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 May 2014 14:00:30 -0000

On May 29, 2014, at 1:05 AM, John Gilmore <gnu@toad.com> wrote:

> I remember fighting this fight in the DANE WG, and the result was
> something along the lines of "We'll narrow the RFC now, and then
> if-and-when raw public keys are approved by the TLS WG, then we'll
> amend it to include them."  

Yep. That is still the plan.

> Well, the time has come.  Raw public keys
> are approved by the TLS WG.  The trouble is that nobody has bothered
> to amend the TLSA RFC, so the new draft RFC tells people "just use
> DANE", but the DANE TLSA RFC says, "No you can't".

Anyone could have started the process for an update to 6689 to reflect this. They haven't yet.

> I propose to add some text to the draft RFC 7250 that extends RFC 6698
> by defining how raw public keys are stored in TLSA records.

That is a horrible abuse of the RFC publication process. That is, instead of you asking for IETF review of your idea, you are trying to slip in a significant technical change with no community review.

> My coauthors seem to prefer that we just ignore the entire issue,
> issue RFC 7250, and ignore the conflict between the two.  

What conflict? DANE is clearly defined. If you want to update the definition (and many of us would support that), write the one-page Internet Draft to do so.

> As someone
> who learned most of what I know about protocols (and the Internet)
> from reading Saint Jon Postel's clearly written RFCs, I would hate to
> inflict that on future readers.  We should not release documents that
> contain deliberate incompatabilities.

And you are not.

> We think RFC 7250 is ready to go except for this remaining issue.  It
> has been approved by the TLS WG, the IESG, the RFC Editor, and all the
> co-authors but me.
> 
> Here's my proposed wording change for RFC 7520.  Improvements welcome.
> Start from this version:
> 
>  https://www.rfc-editor.org/authors/rfc7250.txt
> 
> Section 4.4.
> OLD (entire section):
>   When the TLS server has specified RawPublicKey as the
>   server_certificate_type, authentication of the TLS server to the TLS
>   client is supported only through authentication of the received
>   client SubjectPublicKeyInfo via an out-of-band method.
> 
> NEW (entire section):
>   When the TLS server has specified RawPublicKey as the
>   server_certificate_type, authentication of the TLS server to the TLS
>   client is supported only through authentication of the received
>   client SubjectPublicKeyInfo via an out-of-band method.
> 
>   In order to support out-of-band authentication via DANE [RFC6698],
>   this document extends the DANE TLSA record definition to allow such
>   records to describe raw public keys as well as PKIX [RFC5280]
>   certificates.  This extension does not define any new field values;
>   it merely defines how existing fields are processed when being
>   matched to raw public keys provided by TLS servers.
> 
>   A raw public key is represented in a TLSA record by specifying a
>   certificate usage of 3 (domain-provided), a selector of 1
>   (SubjectPublicKeyInfo), and a matching type of 0.  The
>   SubjectPublicKeyInfo that holds the public key is placed in the
>   certificate association data.  Matching types other than 0 may also
>   be used, by placing the corresponding hash value into the
>   certificate association data.
> 
>   DANE [RFC6698] section 1.3 is extended to say:
> 
>      This document only applies to raw public keys and to PKIX
>      [RFC5280] certificates, not certificates of other formats.
> 
>   DANE section 2.1.1 is extended to say:
> 
>      The certificate usages 0, 1 and 2 defined in this document
>      explicitly only apply to PKIX-formatted certificates in DER
>      encoding [X.690].  If TLS allows other formats later, or if
>      extensions to this RRtype are made that accept other formats for
>      certificates, those certificates will need their own certificate
>      usage values.
> 
>   In DANE section 2.1.1, in addition to the definition of certificate
>   usage 3 with TLS servers that use PKIX certificates, certificate
>   usage 3 may also be used with TLS servers that use raw public keys:
> 
>      3 -- Certificate usage 3 is also used to specify a raw public key
>      that MUST match the raw public key presented by the server in
>      TLS.  When the TLS server provides a raw public key, there is no
>      PKIX certificate and no PKIX validation is done; the TLS
>      server's raw public key MUST match the raw public key provided in
>      the TLSA record.  This certificate usage is sometimes referred
>      to as "domain-issued" because it allows a domain administrator
>      to directly certify a domain's public keys.
> 
> I believe that this wording reflects the up-to-now tacit consensus on
> how the DANE WG expects TLS raw public keys to be represented and
> processed in TLSA records.  In the absence of significant dissent or
> further improvements, I propose to provide the above updates to the
> RFC Editor and release the new RFC.

As co-author of RFC 6689, I fully disagree. The correct way to update RFC 6698 is with a new RFC that has community review.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email