[dane] Certificate usage 2 and TLS server certificate_list?
Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 16 April 2013 14:52 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F44221F9751 for <dane@ietfa.amsl.com>; Tue, 16 Apr 2013 07:52:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QoxUMoIXlkON for <dane@ietfa.amsl.com>; Tue, 16 Apr 2013 07:52:37 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id 394AD21F975F for <dane@ietf.org>; Tue, 16 Apr 2013 07:52:31 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E474A2AAB99; Tue, 16 Apr 2013 14:52:27 +0000 (UTC)
Date: Tue, 16 Apr 2013 14:52:27 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130416145227.GG23574@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] Certificate usage 2 and TLS server certificate_list?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2013 14:52:52 -0000
On Mon, Apr 08, 2013 at 10:38:30PM +0000, Viktor Dukhovni wrote: Does either RFC 6698, or draft-ietf-dane-srv mandate (or it is too obvious to state in either standard) that: - Servers with "IN TLSA 2 x [12]" associations are obligated to include the full TA cert in their TLS "certificate_list". - It is correct to read "IN TLSA 2 1 0" as validating chains "signed by" (not known whether issued by) the TA, when the TA cert itself is not available in the peer's chain. Or, per the previous question, is the TA cert is required, and the issue is moot. Related Postfix documentation: http://vdukhovni.github.io/postfix/TLS_README.html#client_tls_dane ..., the Postfix SMTP client does not assume that the remote SMTP server will necessarily be configured to present the certificate of any trusted CA in its TLS protocol certificate_list. Therefore, support for trust-anchor certificate and public-key digests is disabled by default, see tls_dane_trust_anchor_digest_enable for details. While undigested trust-anchor certificates in TLSA records are supported, publishing complete certificates in DNS is unwise given the resulting excessively large DNS record sizes. Therefore, in its default configuration the Postfix SMTP client essentially supports only certificate usages "1" and "3" (with "1" treated as though it were "3"). http://vdukhovni.github.io/postfix/postconf.5.html#tls_dane_trust_anchor_digest_enable tls_dane_trust_anchor_digest_enable (default: empty) RFC 6698 trust-anchor digest support in the Postfix TLS library. Specify zero or more of the following options, separated by comma or whitespace. Option names are case-insensitive. ca-constraint Enable support for RFC 6698 (DANE TLSA) DNS records that contain digests of trust-anchors with certificate usage "0". These are often public root CAs, and server operators may expect that clients will have the corresponding root certificate in their CAfile or CApath. Most SSL/TLS servers do not send public root CA certificate in their certificate chain, so if Postfix does not have the CA certificate locally, there is no way to associate the digest with the trust chain from the server. These TLSA records are fragile, and only work when you have a complete (whatever that means) set of public CAs in your CAfile or CApath. Enable this with caution if at all. trust-anchor-assertion Enable support for RFC 6698 (DANE TLSA) DNS records that contain digests of trust-anchors with certificate usage "2". In this case the certificate usage should compel the server operator to configure the server to include the trust-anchor certificate in the server's SSL HELO certificate trust chain. Problems are less likely here, and most administrators choosing non-public CAs should in any case publish TLSA records for leaf certificates (certificate usage "3"). These TLSA records are somewhat less fragile than "ca-constraint" TLSA records, but are also not enabled by default. Having a complete CAfile or CApath may not help in this case, you are at the mercy of the remote server administrator's competence. Enable this with caution if at all. -- Viktor.
- [dane] Certificate usage 2 and TLS server certifi… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Jakob Schlyter
- Re: [dane] Certificate usage 2 and TLS server cer… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Jim Schaad
- Re: [dane] Certificate usage 2 and TLS server cer… Paul Hoffman
- Re: [dane] Certificate usage 2 and TLS server cer… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Paul Hoffman
- Re: [dane] Certificate usage 2 and TLS server cer… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Paul Hoffman
- Re: [dane] Certificate usage 2 and TLS server cer… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Jim Schaad
- Re: [dane] Certificate usage 2 and TLS server cer… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Jakob Schlyter
- Re: [dane] Certificate usage 2 and TLS server cer… John Gilmore
- Re: [dane] Certificate usage 2 and TLS server cer… Martin Rex
- Re: [dane] Certificate usage 2 and TLS server cer… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Viktor Dukhovni
- Re: [dane] Certificate usage 2 and TLS server cer… Jim Schaad
- Re: [dane] Certificate usage 2 and TLS server cer… Mark Andrews