Re: [dane] draft-ietf-dane-smime
"Osterweil, Eric" <eosterweil@verisign.com> Fri, 31 October 2014 14:47 UTC
Return-Path: <eosterweil@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0AE21A903E for <dane@ietfa.amsl.com>; Fri, 31 Oct 2014 07:47:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.079
X-Spam-Level:
X-Spam-Status: No, score=-3.079 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Xbkmyv-uX4a for <dane@ietfa.amsl.com>; Fri, 31 Oct 2014 07:47:22 -0700 (PDT)
Received: from exprod6og110.obsmtp.com (exprod6og110.obsmtp.com [64.18.1.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C15B1A9067 for <dane@ietf.org>; Fri, 31 Oct 2014 07:47:22 -0700 (PDT)
Received: from brn1lxmailout01.verisign.com ([72.13.63.41]) (using TLSv1) by exprod6ob110.postini.com ([64.18.5.12]) with SMTP ID DSNKVFOg+TERfjCdo6q8ZMso6pyrNT+rj4QN@postini.com; Fri, 31 Oct 2014 07:47:22 PDT
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02.vcorp.ad.vrsn.com [10.173.152.206]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id s9VElK8T032296 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <dane@ietf.org>; Fri, 31 Oct 2014 10:47:20 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Fri, 31 Oct 2014 10:47:20 -0400
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: dane WG list <dane@ietf.org>
Thread-Topic: [dane] draft-ietf-dane-smime
Thread-Index: AQHP2+CXduy9obN06UaH3lWvHXXI5ZxKvpuA
Date: Fri, 31 Oct 2014 14:47:19 +0000
Message-ID: <39C76846-F695-435D-9A5C-6989D06E9573@verisign.com>
References: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com>
In-Reply-To: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <77546F13CBEF0C4BB25504C5BBBA4F28@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/VVOVTFpt2HKFwpc21zOuubKes7s
Subject: Re: [dane] draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 14:47:27 -0000
Hey again everyone, The thread has calmed down a little bit, and I just wanted to add one more attempt to find a middle-ground to this thread: the initial message (below) included suggested text. Later in the thread, there were some suggested modifications. Thanks to all of those who spent time thinking about this and offered suggestions! I’ve taken a couple of minutes to incorporate feedback, and here is some revised suggested text: On Sep 29, 2014, at 8:26 AM, Osterweil, Eric <eosterweil@verisign.com> wrote: > Hey everyone, > > Based on our implementation experience we would like to suggest that the following text (taken from Scott Rose's email: http://www.ietf.org/mail-archive/web/dane/current/msg06180.html ) be incorporated into the current version of the draft-ietf-dane-smime document. We are sending text (below), but at a high-level, the text outlines a few useful additions: > > 1 - Usage #4 (reject) is likely to be very important. This could either emphasize the difference between saying, ``don't use this cert for this operation,'' and ``this cert is universally revoked'' or be used to selectively override an organization-wide TA for certain employees that have left the organization. > > 2 - The certificate access field (Section 2.1.4) would enable alternate discovery mechanisms that could help aid incremental deployment and transition schemes. For example, while cutting over to a DANE solution, some enterprises may want to transition users from (say) AD to DANE, and this field would enable that. > > 3 - The ``_encr'' and ``_sign'' labels are excellent additions to the management of zone sizes and lookup sizes. Rather than querying for all keys and then locally selecting from them, I (as an RP) likely already know which of these I want, and I should be able to look them up separately in DANE (and owners should be able to manage them separately in DANE). . . . 2.1. SMIMEA RDATA Fields The RDATA for the SMIMEA RR consists of a one-octet certificate usage field, a one-octet selector field, a one-octet matching type field, a one-octet certificate access field, and the certificate association data field. 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Cert. Usage | Selector | Matching Type | Cert. Access | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Certificate Association Data / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2.1.1. The Certificate Usage Field A one-octet value, called "certificate usage", specifies the provided association that will be used to validate the certificate. This value will be defined in a new IANA registry in order to make it easier to add additional certificate usages in the future. Four of the initial usages defined in this document are similar to the first four TLSA [RFC6698] certificate usages. The certificate usage values are: 0 or PKIX-CA -- PKIX-CA is used to specify a CA certificate, or the public key of such a certificate, that MUST be found in any of the PKIX certification paths for the user. This certificate usage is sometimes referred to as "CA constraint" because it limits which CA can be used to issue certificates for a given user. The presented certificate MUST pass PKIX certification path validation, and a CA certificate that matches the SMIMEA record MUST be included as part of a valid certification path. Because this certificate usage allows both trust anchors and CA certificates, the certificate might or might not have the basicConstraints extension present. 1 or PKIX-EE -- PKIX-EE is used to specify an end entity certificate, or the public key of such a certificate, that MUST be matched with the end entity certificate for the SMIME user. This certificate usage is sometimes referred to as "user certificate constraint" because it limits which end entity certificate can be used by a given user. The target user certificate MUST pass PKIX certification path validation and MUST match the SMIMEA record. 2 or DANE-TA -- DANE-TA is used to specify a certificate, or the public key of such a certificate, that MUST be used as the trust anchor when validating the SMIME user certificate. This certificate usage is sometimes referred to as "trust anchor assertion" and allows a domain name administrator to specify a new trust anchor -- for example, if the domain issues its own certificates under its own CA that is not expected to be in the end users' collection of trust anchors. The target user certificate MUST pass PKIX certification path validation, with any certificate matching the SMIMEA record considered to be a trust anchor for this certification path validation. 3 or DANE-EE -- DANE-EE is used to specify a certificate, or the public key of such a certificate, that MUST match the SMIME user's certificate. This certificate usage is sometimes referred to as "domain-issued certificate" because it allows for a domain name administrator to issue certificates for a domain without involving a third-party CA. The target user certificate MUST match the SMIMEA record. The difference between certificate usage 1 and certificate usage 3 is that certificate usage 1 requires that the certificate pass PKIX validation, but PKIX validation is not tested for certificate usage 3. 4 or REJECT -- REJECT is used by the domain owner to assert that at the time of querying the DNS, this user's certificate MUST be considered invalid for the requested function (i.e. signature or encryption). This is a stronger assertion than a failed certificate validation check. Possible usage scenarios include de-authorizing stale employee credentials by selectively overriding TAs that are used to authorize entire organizations. The certificate usages defined in this document explicitly only apply to PKIX-formatted certificates in DER encoding [ITU.X690.2002]. If SMIME allows other formats later, or if extensions to this RR type are made that accept other formats for certificates, those certificates will need their own certificate usage values. 2.1.2. The Selector Field A one-octet value, called "selector", specifies which part of the SMIME certificate presented by the server will be matched against the association data. This value will be defined in a new IANA registry. The selectors defined in this document are: 0 or CERT -- Full certificate: the Certificate binary structure as defined in [RFC5280]. 1 or SPKI -- SubjectPublicKeyInfo: DER-encoded binary structure as defined in [RFC5280]. (Note that the use of "selector" in this document is completely unrelated to the use of "selector" in DomainKeys Identified Mail (DKIM) [RFC6376].) 2.1.3. The Matching Type Field A one-octet value, called "matching type", specifies how the certificate association is presented. This value will be defined in a new IANA registry. The types defined in this document are: 0 or Full -- Exact match on selected content 1 or SHA2-256 -- SHA-256 hash of selected content [RFC6234] 2 or SHA2-512 -- SHA-512 hash of selected content [RFC6234] If the SMIMEA record's matching type is a hash, having the record use the same hash algorithm that was used in the signature in the certificate (if possible) will assist clients that support a small number of hash algorithms. 2.1.4. Certificate Access Field This one octet value indicates an alternative method for certificate discovery. Some domain owners may not want to publish user certificates via DNS but may want to use the DNS to advertise the means to access them. If full user certificates are not included in the Certificate Association Data this field MAY be used to indicate how the user's certificate can be obtained. The RDATA certificate association data MUST be used to validate certificates obtained by the alternative method. 0 or NO: No alternative method advertised. 1 or NAPTR : NAPTR record available. The same domain name used for this SMIMEA request MAY be used again with type NAPTR [RFC3403] to retrieve the URI for certificate access. 2 or WF: X.509 certificates available in WebFinger [RFC7033]. 2.1.5. The Certificate Association Data Field This field specifies the "certificate association data" to be matched. These bytes are either raw data (that is, the full certificate or its SubjectPublicKeyInfo, depending on the selector) for matching type Full (0), or the hash of the raw data for matching types SHA2-256 (1) and SHA2-512 (2). The data refers to the certificate in the association, not to the ASN.1 Certificate object. For certificate usage type REJECT (4) at least one byte of data is REQUIRED but the value MUST be ignored. 2.2. SMIMEA RR Presentation Format The presentation format of the RDATA portion (as defined in [RFC1035]) is as follows: o The certificate usage field MUST be represented either as a certificate usage mnemonic or an 8-bit unsigned integer. o The selector field MUST be represented either as a selector field mnemonic or an 8-bit unsigned integer. o The matching type field MUST be represented either as a matching type mnemonic or an 8-bit unsigned integer. o The certificate access field MUST be represented either as a certificate access mnemonic or an 8-bit unsigned integer. o The certificate association data field MUST be represented as a string of hexadecimal characters. Whitespace is allowed within the string of hexadecimal characters, as described in [RFC1035]. Where practical, the mnemonic form SHOULD be used in order to provide clarity. 2.3. SMIMEA RR Examples In the following examples, the domain name is formed using the rules in Section 3. An example of a hashed (SHA2-256) association of a Full PKIX-CA certificate in the PKIX validation path of a certificate used to validate a signed S/MIME message. No alternative certificate access is advertised. 1c190a039a9c355fba9eb653eb52cd64e2fbe76db2588fc5a2b5c5d4._sign._smimecert.example.com. IN SMIMEA ( 0 0 1 0 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 ) Alternatively 1c190a039a9c355fba9eb653eb52cd64e2fbe76db2588fc5a2b5c5d4._sign._smimecert.example.com. IN SMIMEA ( PKIX-CA FULL SHA2-256 NO d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 ) An example resource record providing Full self-signed encryption certificate: 1c190a039a9c355fba9eb653eb52cd64e2fbe76db2588fc5a2b5c5d4._encr._smimecert.example.com. IN SMIMEA ( DANE-EE Cert Full NO 30820307308201efa003020102020... ) An example of resource record invalidating all digital signatures by identified user: 1c190a039a9c355fba9eb653eb52cd64e2fbe76db2588fc5a2b5c5d4._sign._smimecert.example.com. IN SMIMEA ( REJECT Cert Full NO 00 ) ... 3. Domain Names for S/MIME Certificate Associations SMIMEA domain names include function and user labels. The purpose is to identify the function specific certificate if a user has multiple certificates. Alias MAY be used if a user has a common certificate for both functions ... 3.1. Domain Name Preparation Domain names are prepared for requests in the following manner. 1. The user name (the "left-hand side" of the email address, called the "local-part" in the mail message format definition [RFC5322] and the "local part" in the specification for internationalized email [RFC6530]), is encoded with Base32 [RFC4648], to become the left-most label in the prepared domain name. This does not include the "@" character that separates the left and right sides of the email address. 2. The second left-most label is the function specific label segment. It is selected based on the S/MIME function the MUA is performing. Values are: "_encr" for obtaining or validating a certificate or public key to be used to encrypt a message. "_sign" for certificate validation data to verify a digital signature. For certificate use cases XXXX-EE (1 and 3) the function specific label SHOULD be consistent with the Key Usage field (defined in section 4.2.1.3 of [RFC5280]) of the associated certificate. 3. The string "_smimecert" becomes the third left-most label in the prepared domain. The function specific label segment is separate to enable delegation of a single _smimecert zone cut. 4. The domain name (the "right-hand side" of the email address, called the "domain" in [RFC5322]) is appended to the result of step 3 to complete the prepared domain name. ... 3.2. Domain Name Examples Example 1. Signature certificate verification: to request an SMIMEA resource record to verify a signature certificate for a user whose address is "alice@example.com", you would use: "df7f0c341e185f1073a2caef0d37a8b6a11fac62f46beaf459532bb0._sign._smimecert.example.com" Example 2. Encryption key discovery: to request an SMIMEA resource record for encrypting an email to user "bob@example.com" you would use: "550c233eeabd0f03bb42b99956efa56cdadaef7d346a04e351ac1b7a._encr._smimecert.example.com" 4. Use of SMIMEA Records in SMIME SMIMEA records are used to publish user certificates or validate user certificates acquired by other means. Typically these use cases are associated with message encryption and signature validation processes respectively. Section 2.1 of this document defines the mandatory matching rules for the data. Where possible, consistency with [RFC6698] is maintained. 4.1. Usable Certificate Associations An implementation of this protocol makes a DNS query for SMIMEA records, validates these records using DNSSEC, and uses the resulting SMIMEA records and validation to modify S/MIME message processing behavior. Determining whether an SMIMEA RRSet can be used MUST be based on the DNSSEC validation state (as defined in [RFC4035]). o An SMIMEA RRSet whose DNSSEC validation state is secure MUST be used as a certificate association for S/MIME unless a local policy would prohibit the use of the specific certificate association in the secure SMIMEA RRSet. o If the DNSSEC validation state on the response to the request for the SMIMEA RRSet is bogus then the RRSet MUST be disregarded and considered unusable. Additional SMIMEA queries may be initiated. o If the DNSSEC validation state is indeterminate or insecure then the SMIMEA RRSet MUST be disregarded and considered unusable. MUAs that rely on another entity to perform the DNSSEC signature validation SHOULD use a secure mechanism between themselves and the validator. Examples of secure transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931], and IPsec [RFC6071]. Note that it is not sufficient to use secure transport to a DNS resolver that does not do DNSSEC signature validation. If a certificate association contains a certificate usage, selector, or matching type that is not understood by the MUA, that certificate association MUST be considered unusable. If the comparison data for a certificate is malformed, the certificate association MUST be considered unusable. If a certificate association contains a matching type or certificate association data that uses a cryptographic algorithm that is considered too weak for the MUA's local policy, the certificate association MUST be considered unusable. If a MUA receives zero usable certificate associations from a DNS request or from its cache, it processes S/MIME requests in the normal fashion without any input from the SMIMEA records. If a MUA performing certificate validation receives one or more usable certificate associations then it MUST attempt to match each certificate association with the user's certificate until a successful match is found. If no certificate associations match then the certificate MUST be considered invalid. If a MUA makes an SMIMEA request for an encryption certificate and the response includes more than one valid certificate, the certificate with the most recent "Not Before" data SHOULD be selected. [ Are there better criteria? ] ... 6. IANA Considerations 6.1. SMIMEA RRtype This document uses a new DNS RR type, SMIMEA, whose value will be allocated by IANA from the Resource Record (RR) TYPEs subregistry of the Domain Name System (DNS) Parameters registry. 6.2. SMIMEA Certificate Usage Registry This document creates a new registry, "SMIMEA Certificate Usages". The registry policy is "RFC Required". The initial entries in the registry are: +-------+----------+--------------------------------+-------------+ | Value | Mnemonic | Short Description | Reference | +-------+----------+--------------------------------+-------------+ | 0 | PKIX-CA | CA constraint | [this doc] | | 1 | PKIX-EE | Service certificate constraint | [this doc] | | 2 | DANE-TA | Trust anchor assertion | [this doc] | | 3 | DANE-EE | Domain-issued certificate | [this doc] | | 4 | REJECT | Invalid Certificate or User | [this doc] | | 5-254 | | Unassigned | | | 255 | PrivCert | Reserved for Private Use | [this doc] | +-------+----------+--------------------------------+-------------+ Applications to the registry can request specific values that have yet to be assigned. 6.3. SMIMEA Selectors This document creates a new registry, "TLSA Selectors". The registry policy is "Specification Required". The initial entries in the registry are: +-------+----------+--------------------------+-------------+ | Value | Mnemonic | Short Description | Reference | +-------+----------+--------------------------+-------------+ | 0 | Cert | Full certificate | [this doc] | | 1 | SPKI | SubjectPublicKeyInfo | [this doc] | | 2-254 | | Unassigned | | | 255 | PrivSel | Reserved for Private Use | [this doc] | +-------+----------+--------------------------+-------------+ Applications to the registry can request specific values that have yet to be assigned. 6.4. SMIMEA Matching Types This document creates a new registry, "SMIMEA Matching Types". The registry policy is "Specification Required". The initial entries in the registry are: +-------+-----------+--------------------------+-------------+ | Value | Mnemonic | Short Description | Reference | +-------+-----------+--------------------------+-------------+ | 0 | Full | No hash used | [this doc] | | 1 | SHA2-256 | 256 bit hash by SHA2 | [this doc] | | 2 | SHA2-512 | 512 bit hash by SHA2 | [this doc] | | 3-254 | | Unassigned | | | 255 | PrivMatch | Reserved for Private Use | [this doc] | +-------+-----------+--------------------------+-------------+ Applications to the registry can request specific values that have yet to be assigned. 6.5. Certificate Access Field This document creates a new registry, "SMIMEA Certificate Access". The registry policy is "Specification Required". The initial entries in the registry are: +-------+-----------+---------------------------+-------------+ | Value | Mnemonic | Short Description | Reference | +-------+-----------+---------------------------+-------------+ | 0 | NO | No Alternative Advertised | [this doc] | | 1 | NAPTR | NAPTR | [this doc] | | 2 | WF | WebFinger | [this doc] | | 3-254 | | Unassigned | | | 255 | PrivUse | Reserved for Private Use | [this doc] | +-------+-----------+---------------------------+-------------+ Applications to the registry can request specific values that have yet to be assigned.
- [dane] draft-ietf-dane-smime Osterweil, Eric
- Re: [dane] draft-ietf-dane-smime Paul Hoffman
- Re: [dane] draft-ietf-dane-smime Doug Montgomery
- Re: [dane] draft-ietf-dane-smime Jakob Schlyter
- Re: [dane] draft-ietf-dane-smime Doug Montgomery
- Re: [dane] draft-ietf-dane-smime Paul Hoffman
- Re: [dane] draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime Sean Turner
- Re: [dane] draft-ietf-dane-smime Olafur Gudmundsson
- Re: [dane] draft-ietf-dane-smime Jakob Schlyter
- Re: [dane] draft-ietf-dane-smime Paul Hoffman
- Re: [dane] draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime Osterweil, Eric
- Re: [dane] draft-ietf-dane-smime Osterweil, Eric
- Re: [dane] draft-ietf-dane-smime Paul Hoffman
- Re: [dane] draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime Paul Hoffman
- Re: [dane] draft-ietf-dane-smime Osterweil, Eric
- Re: [dane] draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime Paul Wouters
- [dane] Deployment considerations - Re: draft-ietf… Dan York
- Re: [dane] draft-ietf-dane-smime Warren Kumari
- Re: [dane] Deployment considerations - Re: draft-… Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime Warren Kumari
- Re: [dane] Deployment considerations - Re: draft-… Mark Andrews
- Re: [dane] draft-ietf-dane-smime Osterweil, Eric
- Re: [dane] draft-ietf-dane-smime Paul Wouters
- Re: [dane] draft-ietf-dane-smime Danny McPherson
- Re: [dane] draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime Osterweil, Eric
- Re: [dane] draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime Jakob Schlyter