Re: [dane] Compressed Call for Adoption: draft-gilmore-dane-rawkeys-00
John Gilmore <gnu@toad.com> Tue, 24 June 2014 20:54 UTC
Return-Path: <gnu@toad.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E291B291E for <dane@ietfa.amsl.com>; Tue, 24 Jun 2014 13:54:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.598
X-Spam-Level: *
X-Spam-Status: No, score=1.598 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-0.651] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JiKW81VEi2IZ for <dane@ietfa.amsl.com>; Tue, 24 Jun 2014 13:54:16 -0700 (PDT)
Received: from new.toad.com (new.toad.com [209.237.225.253]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F3171B28CF for <dane@ietf.org>; Tue, 24 Jun 2014 13:52:42 -0700 (PDT)
Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id s5OKqdeo003390 for <dane@ietf.org>; Tue, 24 Jun 2014 13:52:39 -0700
Message-Id: <201406242052.s5OKqdeo003390@new.toad.com>
To: dane@ietf.org
In-reply-to: <20140623173434.GK17723@mournblade.imrryr.org>
References: <CAHw9_i+EtVskqkT1V9V_bvPOCpGdZpz4-Vr4ME_DiC7EvxVQwg@mail.gmail.com> <20140623150158.GE17723@mournblade.imrryr.org> <alpine.LFD.2.10.1406231151000.31024@bofh.nohats.ca> <20140623173434.GK17723@mournblade.imrryr.org>
Comments: In-reply-to Viktor Dukhovni <viktor1dane@dukhovni.org> message dated "Mon, 23 Jun 2014 17:34:34 -0000."
Date: Tue, 24 Jun 2014 13:52:39 -0700
From: John Gilmore <gnu@toad.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/Nkrnmgp4h2Nb1ENr_IasAnDIt1c
Subject: Re: [dane] Compressed Call for Adoption: draft-gilmore-dane-rawkeys-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jun 2014 20:54:17 -0000
Paul Wouters said: > > Please note that this is to support non-TLS scenarios where the public > > key might not be transferred in-band like in the TLS case. That is, > > the draft extends 6698 to support publishing any kind of public key > > in SPKI format for verification. It does not suggest non-SPKI formats. Paul Hoffman said: > I see nothing in the draft that suggests that it would update 6698 to > cover any protocol other than TLS and DTLS. If the WG adopts the > document, the document should be clearer that the keying material is > only for TLS and DTLS. Any other use would require a different > protocol document that would use a different RRtype (even if that > RRtype uses the same record format. I see two issues mentioned here. One is whether the TLSA record should be deliberately restricted by the WG to never be used by any protocol other than TLS. The second is whether TLS always transfers the public key in-band (thus obviating the need for a way to publish a TLS key in the DNS). On the first issue, we are already having to amend the TLSA RFC to remove deliberate restrictions that were written into it. I have not seen any way that these restrictions improve interoperability; in fact, they detract from interoperability by blocking usages that would work technically. The Raw Public Keys TLS extension would not have needed to amend the TLSA RFC at all, if the TLSA RFC did not contain explicit wording excluding the use of key formats other than a single choice. It could have merely been an add-on extension, if not for those few restrictive sentences. In amending the TLSA RFC for raw public keys, we could remove those deliberate restrictions, and then write new deliberate restrictions. Paul Hoffman's comment above seems to be advocating for that position. Instead, I am advocating for not adding restrictions that have no technical or interoperability rationale. It is not the role of an IETF working group to tell users that they are not allowed to use a protocol that would work for them and that would interoperate cleanly with other users. It's like a WG saying, "You can't use the ssh protocol to implement rsync or git, because ssh is only designed for interactive shells. Each of those applications has to design their own ssh-equivalent protocol", or "The ntpdate program can't use the NTP protocol to get a single estimate of the current time, because the protocol is only designed for doing long-term synchronization among multiple time servers". To quote Dennis Allison, we should be standing on each others' shoulders, not each others' toes. The second issue is the use of the TLSA record to publish a key in its entirety, rather than to merely authenticate the key with a hash value. RFC 7250 (raw public keys) specifies that the server will send its raw public key to the client, in the TLS transaction. So, in the current case, authenticating that key is all that is absolutely required. However, there is a separate TLS WG draft, draft-ietf-tls-cached-info-16.txt, which provides a way to reduce the bandwidth required. It has the client send a hash of the server's raw public key (or cert chain) that it already knows. If the server agrees that that's the public key, it agrees and does not send the server's public key (or certificate chain) in the TLS transaction. This draft is optionally used by CoAP without DANE, using a pre-cached server public key, but its protocol extension can also be used with DANE. When this draft TLS extension is used with DANE, the client has the option to do a TLSA domain lookup first, then, if it receives a full public key in that TLSA RRset, it can hash the public key and send that hash when starting the TLS transaction. If the server agrees that that hash matches its current public key, it sends back agreement and doesn't send another copy of the key. While highly interactive applications like web browsers might not want to serialize the TLSA lookup and the TLS transaction, serializing them to reduce transmitted bytes might be a popular implementation choice for a queued near-realtime application like SMTP, or for a background operation like checking for or downloading software or firmware updates. This is another case (like the ssh example above) where the existing TLSA protocol provides an easy way to do what is needed to use this cached-info TLS protocol variant (authentically publish the whole raw public key). If we were to add more restrictive wording to the TLSA definition (for example, if we restricted TLSA to merely being usable for authentication, never for publication) then that restriction would prevent users from interoperably doing an obvious thing that they wish to do. I suggest that we avoid adding such restrictions. John
- [dane] Compressed Call for Adoption: draft-gilmor… Warren Kumari
- Re: [dane] Compressed Call for Adoption: draft-gi… Peter Koch
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Wouters
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Wouters
- Re: [dane] Compressed Call for Adoption: draft-gi… James Cloos
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… John Gilmore
- Re: [dane] Compressed Call for Adoption: draft-gi… Martin Rex
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Martin Rex
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Martin Rex
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Hoffman
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Hoffman
- Re: [dane] Compressed Call for Adoption: draft-gi… John Gilmore
- Re: [dane] Compressed Call for Adoption: draft-gi… James Cloos
- Re: [dane] Compressed Call for Adoption: draft-gi… Tom Gindin
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Hoffman
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Hoffman
- Re: [dane] Compressed Call for Adoption: draft-gi… Michael Richardson
- Re: [dane] Compressed Call for Adoption: draft-gi… Michael Richardson
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… James Cloos
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Wouters
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Wouters
- Re: [dane] Compressed Call for Adoption: draft-gi… Sean Turner
- Re: [dane] Compressed Call for Adoption: draft-gi… Warren Kumari