Re: [dane] Digest Algorithm Agility discussion
Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 17 March 2014 17:35 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A131A0442 for <dane@ietfa.amsl.com>; Mon, 17 Mar 2014 10:35:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f53wmSISQN2V for <dane@ietfa.amsl.com>; Mon, 17 Mar 2014 10:35:14 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 803E91A02AD for <dane@ietf.org>; Mon, 17 Mar 2014 10:35:14 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1E54C2AB19D; Mon, 17 Mar 2014 17:35:06 +0000 (UTC)
Date: Mon, 17 Mar 2014 17:35:06 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140317173506.GD24183@mournblade.imrryr.org>
References: <20140315051704.GY21390@mournblade.imrryr.org> <alpine.LFD.2.10.1403171115580.32251@bofh.nohats.ca> <20140317155049.GB24183@mournblade.imrryr.org> <alpine.LFD.2.10.1403171235400.32251@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1403171235400.32251@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/KjE11hywm1ZmvmHG9iMZ2lK_8TQ
Subject: Re: [dane] Digest Algorithm Agility discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 17:35:17 -0000
On Mon, Mar 17, 2014 at 12:57:54PM -0400, Paul Wouters wrote: > On Mon, 17 Mar 2014, Viktor Dukhovni wrote: > > >>> * It should be possible for servers to publish TLSA records > >>> employing multiple digest algorithms allowing clients to > >>> choose the best mutually supported digest. > >> > >>Isn't that already possible? > > > >Not based on RFC 6698 alone. With RFC 6698 the client trusts all > >TLSA records whether "weak" and "strong". > > 4.1 states: > > A TLSA RRSet whose DNSSEC validation state is secure MUST be used > as a certificate association for TLS unless a local policy would > prohibit the use of the specific certificate association in the > secure TLSA RRSet. > > Can that not be used to reject a weak digest? The above proposal is for clients to black-list designated weak digests, rather than select the strongest available digest. If a digest is not yet ready to be black-listed, but is no longer recommended (as lets say SHA1 is now) we'd still have clients using it even when stronger digests are published along-side. I am proposing clients using *only* the strongest digest (as determined by their configuration) and ignoring the rest. This results in a much clear phase-out process. The weak digests are only used when one of the sides only supports that digest. It all boils down to how one might attempt to phase out a weak digest. If there is no "negotiation" (choice of strongest mutually available option) transitions are much harder, because the weak options are used until suddenly dropped, rather than gradually becoming less common, until it is easy to phase them out because almost nobody uses them. > >My proposal is essentially the same. The client uses the strongest > >acceptable digest algorithm. The *client* decides what "strongest" > >means. It never chooses an unsupported algorithm. > > but you want to fail if that one selected one fails. I don't think that > is the right decision. There is no "right" or "wrong", only trade-offs. > I don't think we disagree. the server publishes a new strong digest, and > clients that support that and consider sha2-256 weak will not use > sha2-256. The difference is that clients don't consider SHA2-256 (say) weak right away, they initially get to prefer to not use it, whenever (say) SHA2-512 is also published. > If the admin messes up the new strong digest, than new clients > will fail to get a TLSA record, and old clients will use an unsafe one. The admin messing up is a red-herring. Nobody will publish two digests just in case one is "messed-up". They will publish multiple digests to allow clients to choose the strongest one. > >>If the most prefered TLSA record fails validation, the client should try > >>another TLSA record. > > > >This works poorly. While the weak algorithm is being phased out > >(years) even clients that support stronger algorithms are at risk. > > New clients can have a local policy that states never to accept weak > digests. I don't see a problem with agility. The weak TLSA records > are only left in for clients that support nothing stronger. Such policy is difficult to enable, it applies even to servers that only publish the weak digest. My proposal incrementally phases out the weak digest as servers publish the stronger version. > Maybe I don't understand what you think the problem is? Incremental transition from weak to strong algorithms with no flag day (clients having to completely disable an algorithm to avoid exposure to it even with servers that support a stronger one). With TLS for example, clients don't have to disable all weaker block ciphers, because the client and server will agree on the strongest mutually available (based on either the client's or server's preference list). Once the mutually strongest option is selected, the others are irrelevant. The idea here is the same. > >Perhaps Wes can chime in. His comment to me was that the proposed > >DAA (digest algorithm agility) is essentially the only possible > >and largely analogous to the DNSSEC approach. > > So aren't we all agreeing? Not yet. To be specific suppose a server publishes: IN TLSA 3 1 2 {blob2} IN TLSA 3 1 1 {blob1} and a client supports SHA2-512 (believed strong) and SHA2-256 (hypothetically tarnished, but not yet known broken). In my proposal the client completely ignores {blob1} *even if* {blob2} does not match! The client and server first agree on the strongest digest (analogy with TLS cipher-suite negotiation) and then only that digest is used. The same client authenticating a second server: IN TLSA 3 1 1 {blob3} will use {blob3}. -- Viktor.
- [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Wouters
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
- Re: [dane] Digest Algorithm Agility discussion Paul Wouters
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Wouters
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Martin Rex
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Jim Schaad
- Re: [dane] Digest Algorithm Agility discussion (c… Paul Hoffman
- Re: [dane] Digest Algorithm Agility discussion (c… Andrew Sullivan
- Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
- Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
- Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Wouters
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
- Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
- Re: [dane] Digest Algorithm Agility discussion Wes Hardaker