IETF Logo Mail Archive

Re: [dane] RPK use-case high level problem statement

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 06 June 2014 14:52 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 114931A0496 for <dane@ietfa.amsl.com>; Fri, 6 Jun 2014 07:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z91PhlILTr3Q for <dane@ietfa.amsl.com>; Fri, 6 Jun 2014 07:52:14 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73CEE1A049E for <dane@ietf.org>; Fri, 6 Jun 2014 07:52:14 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 25D572AB20C; Fri, 6 Jun 2014 14:52:07 +0000 (UTC)
Date: Fri, 06 Jun 2014 14:52:07 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140606145207.GW27883@mournblade.imrryr.org>
References: <20140605235915.GR27883@mournblade.imrryr.org> <m3wqcusf31.fsf@carbon.jhcloos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m3wqcusf31.fsf@carbon.jhcloos.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/L6RtSRq11YZWVU5r1rBp5vDGxeI
Subject: Re: [dane] RPK use-case high level problem statement
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jun 2014 14:52:17 -0000

On Fri, Jun 06, 2014 at 02:54:01AM -0400, James Cloos wrote:

> >>>>> "VD" == Viktor Dukhovni <viktor1dane@dukhovni.org> writes:
> 
> VD>     3. Some subset of servers will have TLSA RRsets during transition
> VD>        states, not currently defined as "misconfigured", such that
> VD>        X.509 DANE TLSA authentication works, but RPK DANE TLSA
> VD>        authentication fails, because the RPK-compatible TLSA RRs
> VD>        match only past or future keys.
> 
> Now I see why/where we disagree.
> 
> In the case where the server's current key cannot be verified by a RPK-
> compatible TLSA, and where the server publishes TLSA at all, it is a
> mis-configuration to permit the server to negotiate RPK.
> 
> Just because a client sends the RPK extension does not mean that the
> server must or will agree.

Indeed I was/am expecting some TLS implementations to automatically
negotiate RPK and use keys extracted from the leaf certificate (far
simpler in mixed environments than configuring separate bare SPKI
objects).  If RPK only gets enabled:

    * Toolkit implements RPK, off by default
    * Application enables RPK support, off by default
    * Administrator enables RPK (when not in conflict with TLSA, ...)

Then it will take quite some time before there's any noticeable
RPK deployment even in the presence of DANE TLSA records than can
authenticate RPK.  The alternative model is:

    * Toolkit implements RPK, on by default in servers.
    * Application may be updated to allow disabling of RPK support.
    * Server administrator publishes "3 1 X" TLSA RRs.
    * Client sees "pure" "3 1 X" TLSA RRset, enables RPK, and off we go.

The extension deploys itself "organically" as implementations are
adopted.  However, if that's the model, then TLSA RRset transitions
need to be managed with care, or clients should be cautious when
automaticaly enabling RPK or better yet both.

I am planning to *recommend* a server BCP of "make sure each and
every U/S/M matches a current keyset" strategy anyway, there are
non-RPK reasons to do that anyway.

So the question with respect to RPK is whether it is:

    * The server's responsibility to only enable it while publishing
    compatible TLSA records (assuming the server publishes TLSA
    records), leading to much slower RPK deployment, but closing
    the "mixed TLSA" exposure.

OR

    * The server's responsibility to carefully publish TLSA records
    in such a way that no U/S/M subset is purely past/future, also
    closing the exposure.

OR

    * The client's responsibility to be cautious in the face of
      "mixed" TLSA records.

If the consensus is that PRK enablement in server applications
needs to be explicit, and it needs to be off by default, then this
should I think be published in the new RPK RFC.  Toolkit implementors
adding server-sie code for the extension need to know that it is not
safe to enable by default.

> It seems extremely unlikely to me that, as RPK support is added to the
> various TLS libraries, that it will be enabled by default.  It is vastly
> more likely that explicit configuration will be required by any server
> software to enable support for RPK.  Perhaps even requiring that the
> SPKI to be sent to RPK clients be in a file outside of any 509 container,
> rather than auto-extracted as needed.

I don't want to rely on happy accidents, if it is not spelled out,
all bets are off.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email