IETF Logo Mail Archive

[dane] [Technical Errata Reported] RFC6698 (3594)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 16 April 2013 22:19 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B646821F9794 for <dane@ietfa.amsl.com>; Tue, 16 Apr 2013 15:19:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.406
X-Spam-Level:
X-Spam-Status: No, score=-102.406 tagged_above=-999 required=5 tests=[AWL=0.194, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHAzoUJ44eXR for <dane@ietfa.amsl.com>; Tue, 16 Apr 2013 15:19:16 -0700 (PDT)
Received: from rfc-editor.org (unknown [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id 31A0321F977C for <dane@ietf.org>; Tue, 16 Apr 2013 15:19:16 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 82228B1E003; Tue, 16 Apr 2013 15:18:17 -0700 (PDT)
To: paul.hoffman@vpnc.org, jakob@kirei.se, stephen.farrell@cs.tcd.ie, turners@ieca.com, ondrej.sury@nic.cz, warren@kumari.net
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20130416221817.82228B1E003@rfc-editor.org>
Date: Tue, 16 Apr 2013 15:18:17 -0700
Cc: rfc-editor@rfc-editor.org, dane@ietf.org
Subject: [dane] [Technical Errata Reported] RFC6698 (3594)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2013 22:19:16 -0000

The following errata report has been submitted for RFC6698,
"The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6698&eid=3594

--------------------------------------
Type: Technical
Reported by: Viktor Dukhovni <viktor1dane@dukhovni.org>

Section: 2.1.1

Original Text
-------------
      2 -- Certificate usage 2 is used to specify a certificate, or the
      public key of such a certificate, that MUST be used as the trust
      anchor when validating the end entity certificate given by the
      server in TLS.  This certificate usage is sometimes referred to as
      "trust anchor assertion" and allows a domain name administrator to
      specify a new trust anchor -- for example, if the domain issues
      its own certificates under its own CA that is not expected to be
      in the end users' collection of trust anchors.  The target
      certificate MUST pass PKIX certification path validation, with any
      certificate matching the TLSA record considered to be a trust
      anchor for this certification path validation.

Corrected Text
--------------
      2 -- Certificate usage 2 is used to specify a certificate, or the
      public key of such a certificate, that MUST be used as the trust
      anchor when validating the end entity certificate given by the
      server in TLS.  This certificate usage is sometimes referred to as
      "trust anchor assertion" and allows a domain name administrator to
      specify a new trust anchor -- for example, if the domain issues
      its own certificates under its own CA that is not expected to be
      in the end users' collection of trust anchors.  The target
      certificate MUST pass PKIX certification path validation, with any
      certificate matching the TLSA record considered to be a trust
      anchor for this certification path validation.  Since clients cannot
      be presumed to have their own copy of the trust-anchor certificate,
      when the TLSA association specifies a certificate digest, the TLS
      server MUST be configured to provide the trust-anchor certificate in
      its "certificate_list" TLS handshake message.


Notes
-----
This is critical for interoperability between clients and servers.  A client that commits to verify TLSA RR certificate associations will fail if it can't obtain the required certificates.  With usage "2" there is no presumption that these are available to the client.  If servers are not obligated to provide them the protocol will consistently fail.  With non-interactive protocols where there is no user to "click OK", such as SMTP, there is no good work-around and both client and server owners suffer.

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC6698 (draft-ietf-dane-protocol-23)
--------------------------------------
Title               : The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
Publication Date    : August 2012
Author(s)           : P. Hoffman, J. Schlyter
Category            : PROPOSED STANDARD
Source              : DNS-based Authentication of Named Entities
Area                : Security
Stream              : IETF
Verifying Party     : IESG

v2.23.0 | Report a Bug | By Email