[dane] draft-ietf-dane-srv-03.txt: name checks, ...

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 19 December 2013 17:30 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A81B51AE12B for <dane@ietfa.amsl.com>; Thu, 19 Dec 2013 09:30:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5xzHDMJtpHB for <dane@ietfa.amsl.com>; Thu, 19 Dec 2013 09:30:32 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0271AE128 for <dane@ietf.org>; Thu, 19 Dec 2013 09:30:32 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 9AA982AB01A; Thu, 19 Dec 2013 17:30:27 +0000 (UTC)
Date: Thu, 19 Dec 2013 17:30:27 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131219173027.GB1285@mournblade.imrryr.org>
References: <20131219160710.8908.47958.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20131219160710.8908.47958.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] draft-ietf-dane-srv-03.txt: name checks, ...
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2013 17:30:34 -0000

On Thu, Dec 19, 2013 at 08:07:10AM -0800, internet-drafts@ietf.org wrote:

> 	Filename        : draft-ietf-dane-srv-03.txt
> 	Date            : 2013-12-13

Section 5 (no exception for usage 3):
Section 7 (MUST and SHOULD on server name are too strong):
Section 10.3 (no exception for usage 3):

This still conflicts with the smtp-with-dane and ops drafts with
respect to name checks (server identity checks) in usage 3.  In
the two conflicting documents usage 3 certificates are validated
exclusively by matching against DANE TLSA RRs.  No name checks,
key usage checks, expiration checks, ... apply with usage 3.  Rather,
the binding of the EE certificate to the service end-point is
entirely established by the DNSSEC TLSA record (also its validity
lifetime is the lifetime of the TLSA record).

Correspondingly, all requirements on the content of the server
certificate are relaxed with usage 3, it may, if desired, contain
no identity information.  For example, given the following TLSA
record:

    _25._tcp.mail.example. IN TLSA 3 1 1 \
	4D8CC746810AB5C7D7D24EE2A78AA6D5 \
	687E5CCA54A85846DAACD71E1B172F00

the below would be a valid certificate (which is, absent DANE,
anonymous and never valid):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: 
        Validity
            Not Before: Dec 19 17:16:51 2013 GMT
            Not After : Dec 18 17:16:51 2013 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
		    ...
                ASN1 OID: prime256v1
    Signature Algorithm: ecdsa-with-SHA256
	...
-----BEGIN CERTIFICATE-----
MIHsMIGToAMCAQICAQEwCgYIKoZIzj0EAwIwADAeFw0xMzEyMTkxNzE2NTFaFw0x
MzEyMTgxNzE2NTFaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARIR1J5ykq+
0/4O7VBur2Sv9tgrMvql0kzZzuaMxyFWxbL9bNtkT3zcjrXHVxdhZOZLZo9Fs5AI
MW+zRCwxNcbbMAoGCCqGSM49BAMCA0gAMEUCIFkPVySlkXTbg6mlEUbDGrABN+a2
V9aZR87f+1X+JKydAiEAwlccNJAVHQmkU5kVelXbx8UsVc66Q8Qt6QrT1L5Xg10=
-----END CERTIFICATE-----

-- 
	Viktor.