Re: [dane] Digest Algorithm Agility discussion

Paul Hoffman <> Mon, 17 March 2014 18:14 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2CD6A1A0488 for <>; Mon, 17 Mar 2014 11:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TV8n2FiZXXSU for <>; Mon, 17 Mar 2014 11:14:44 -0700 (PDT)
Received: from (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by (Postfix) with ESMTP id A33161A048D for <>; Mon, 17 Mar 2014 11:14:44 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.8/8.14.7) with ESMTP id s2HIEYDK032984 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <>; Mon, 17 Mar 2014 11:14:35 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Paul Hoffman <>
In-Reply-To: <>
Date: Mon, 17 Mar 2014 11:14:32 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.1874)
Subject: Re: [dane] Digest Algorithm Agility discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Mar 2014 18:14:46 -0000

On Mar 17, 2014, at 10:44 AM, Viktor Dukhovni <> wrote:

> On Mon, Mar 17, 2014 at 09:47:46AM -0700, Paul Hoffman wrote:
>>>>> * It should be possible for servers to publish TLSA records
>>>>>   employing multiple digest algorithms allowing clients to
>>>>>   choose the best mutually supported digest.
>>>> Isn't that already possible?
>>> Not based on RFC 6698 alone.  With RFC 6698 the client trusts all
>>> TLSA records whether "weak" and "strong".
>> Can you point to the specific text for that? It was not my
>> intention, and I doubt it was the intention of the WG.
> Per RFC 6698, the client evaluats all "usable" TLSA records until
> one matches, regardless of digest algorithm strength.

Umm, I asked for specific text. :-) If it is in Section 4.1 (which is where it should be), I'm not seeing it.

>>> My proposal is essentially the same.  The client uses the strongest
>>> acceptable digest algorithm.  The *client* decides what "strongest"
>>> means.  It never chooses an unsupported algorithm.
>> Again, that was at least my intention for 6698. If we need to
>> clarify that, that would be much better than adding another layer
>> of protocol grease.
> There is no text in 6698 that even approximately suggests that clients
> get to use only the records with the strongest (local criteria) digest.

In Section 4.1:
   o  A TLSA RRSet whose DNSSEC validation state is secure MUST be used
      as a certificate association for TLS unless a local policy would
      prohibit the use of the specific certificate association in the
      secure TLSA RRSet.
And at the end of Section 8:
   Generators of TLSA records should be aware that the client's full
   trust of a certificate association retrieved from a TLSA record may
   be a matter of local policy.  While such trust is limited to the
   specific domain name, protocol, and port for which the TLSA query was
   made, local policy may decline to accept the certificate (for reasons
   such as weak cryptography), as is also the case with PKIX trust

Crypto choice is definitely a local policy.

--Paul Hoffman