Re: [dane] Digest Algorithm Agility discussion

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 17 March 2014 17:44 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 814F41A045E for <dane@ietfa.amsl.com>; Mon, 17 Mar 2014 10:44:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYjsQ0vpdYd0 for <dane@ietfa.amsl.com>; Mon, 17 Mar 2014 10:44:31 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 7704E1A045D for <dane@ietf.org>; Mon, 17 Mar 2014 10:44:31 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 26E442AB274; Mon, 17 Mar 2014 17:44:23 +0000 (UTC)
Date: Mon, 17 Mar 2014 17:44:23 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140317174423.GE24183@mournblade.imrryr.org>
References: <20140315051704.GY21390@mournblade.imrryr.org> <alpine.LFD.2.10.1403171115580.32251@bofh.nohats.ca> <20140317155049.GB24183@mournblade.imrryr.org> <B4473EDA-DAB4-4CC2-ACCD-B4F8939E5A2C@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B4473EDA-DAB4-4CC2-ACCD-B4F8939E5A2C@vpnc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/RV0iTkuZ_hAEn8jvbVL_M3ZlUBI
Subject: Re: [dane] Digest Algorithm Agility discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 17:44:33 -0000

On Mon, Mar 17, 2014 at 09:47:46AM -0700, Paul Hoffman wrote:

> >>>  * It should be possible for servers to publish TLSA records
> >>>    employing multiple digest algorithms allowing clients to
> >>>    choose the best mutually supported digest.
> >> 
> >> Isn't that already possible?
> > 
> > Not based on RFC 6698 alone.  With RFC 6698 the client trusts all
> > TLSA records whether "weak" and "strong".
> 
> Can you point to the specific text for that? It was not my
> intention, and I doubt it was the intention of the WG.

Per RFC 6698, the client evaluats all "usable" TLSA records until
one matches, regardless of digest algorithm strength.

> > My proposal is essentially the same.  The client uses the strongest
> > acceptable digest algorithm.  The *client* decides what "strongest"
> > means.  It never chooses an unsupported algorithm.
> 
> Again, that was at least my intention for 6698. If we need to
> clarify that, that would be much better than adding another layer
> of protocol grease.

There is no text in 6698 that even approximately suggests that clients
get to use only the records with the strongest (local criteria) digest.

> > Stronger clients will never use the published weak records.  
> 
> I strongly doubt that is the desired outcome. If so, lots of
> zones will go invisible when the "later" in "remove weak digests
> later" stretches to a decade.

One can audit for weak TLSA RRsets on peer systems before deciding
to disable a weak algorithm.  My proposal makes it possible to
ramp security before completely disabling an algorithm.  Not doing
the proposed agility algorithm makes the problem worse.

> > This works poorly.  While the weak algorithm is being phased out
> > (years) even clients that support stronger algorithms are at risk.
> 
> At risk of what? Seriously: DANE is additional security over
> non-TLS, so a "weak" algorithm is still better than "no TLS".
> Reduction to absurdity is not helpful here.

Of all people, I am quite surprised to see you say that.  DANE IS
NOT additional security over non-TLS.  DANE is a specification for
publishing public keys in DNS.  It can be used for both opportunistic
and non-opportunistic use-cases.  Postfix supports DANE in both
opportunistic and mandatory modes.

Please see also my reply to Paul W.

-- 
	Viktor.