IETF Logo Mail Archive

Re: [dane] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-00.txt

Matt Miller <mamille2@cisco.com> Thu, 07 June 2012 20:53 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65E8711E80AA for <dane@ietfa.amsl.com>; Thu, 7 Jun 2012 13:53:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.406
X-Spam-Level:
X-Spam-Status: No, score=-9.406 tagged_above=-999 required=5 tests=[AWL=-1.107, BAYES_00=-2.599, MANGLED_DOSE=2.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tX7vmN7nQg99 for <dane@ietfa.amsl.com>; Thu, 7 Jun 2012 13:53:45 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 0C57111E80F2 for <dane@ietf.org>; Thu, 7 Jun 2012 13:53:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mamille2@cisco.com; l=9458; q=dns/txt; s=iport; t=1339102421; x=1340312021; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to:content-transfer-encoding; bh=nS8Iz518ub5Vy49mYQovCSQDYXBY+ad6C0b1BCr2IOQ=; b=FWYqL0r/Lu9rjUf96qmwTGyz+7rpD5JQSJXx0anDQp0BTEP45U+c5xXw LQAXnFmsypARibI5Q29k6nu5hipSK6iBkKi91Bu3mDv3aw4AMROsqN+z0 6T8xRXO7C0Tp+gwSTShKyMsRP7OdiI2KEc5JFr0/IFnmWVVjRS/lomuoK k=;
X-Files: smime.p7s, PGP.sig : 2214, 535
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAMQT0U+rRDoI/2dsb2JhbABFtE2BB4IYAQEBAwESAWYFCwsOOAJVBhMih2QEAQuZLp9xix2FIGADiECFd4ZmgRKEQYhBgWaCf4FA
X-IronPort-AV: E=Sophos; i="4.75,732,1330905600"; d="sig'?p7s'?scan'208"; a="45515646"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-3.cisco.com with ESMTP; 07 Jun 2012 20:53:32 +0000
Received: from [64.101.72.35] ([64.101.72.35]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q57KrVPv008679; Thu, 7 Jun 2012 20:53:31 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Apple-Mail-44-17976308"
From: Matt Miller <mamille2@cisco.com>
In-Reply-To: <alpine.LSU.2.00.1206072004470.5807@hermes-2.csi.cam.ac.uk>
Date: Thu, 07 Jun 2012 14:53:48 -0600
Message-Id: <04872EB1-060F-4605-8E1F-6A45152600CF@cisco.com>
References: <20120606153712.8378.19976.idtracker@ietfa.amsl.com> <DAFA7185-25CD-452A-A533-C5002B21C4CC@cisco.com> <alpine.LSU.2.00.1206072004470.5807@hermes-2.csi.cam.ac.uk>
To: Tony Finch <dot@dotat.at>
Content-Transfer-Encoding: 7bit
X-Pgp-Agent: GPGMail 1.3.3
X-Mailer: Apple Mail (2.1084)
Cc: IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-00.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 20:53:46 -0000

On Jun 7, 2012, at 13:13, Tony Finch wrote:

> 
> This looks mostly good to me - it's going in pretty much the right
> direction. By which I mean I am specifying basically the same
> semantics for the MUA protocols :-)
> 

Thanks for the feedback.  It's good to know we're not completely off (-:

> The pragmatics of deployment are somewhat different between XMPP and
> email, I think, since email deployments usually use certificates for the
> server host names whereas XMPP deployments use certificates for the JID
> domain. This might mean we have to specify different fallback behaviour. I
> haven't pinned down the precise details yet.
> 
> Detailed comments and questions:
> 
> 
> Section 4 (XMPP SRV + DNSSEC):
> 
> There is no mention of CNAME or DNAME indirections. They do not break the
> model, provided the entire indirection chain is secure.
> 

Noted.

> Bogus answers should be treated as security failures and cause the
> client to abort. Insecure/indeterminate answers should be treated as
> if DNSSEC were not present. At the moment the draft treats these the same.
> 

Good point; will fix in next revision.

> Points 4,5,6: There is no need to check the security status of the SRV
> target addresses, since the client is going to verify that the server's
> certificate matches the SRV target host name.
> 

I think I agree if there are TLSA records to be found.  However, if there are no TLSA records, I do think the checks mean there are additional names verify against.

However, you're not the first to suggest remove them!  I'll ponder on improvements here, and remove them if I can't think of any.

> Point 7: The client SHOULD check the source domain if the derived
> domain doesn't match. Making the source check a MAY is too weak:
> you don't want DNSSEC deployment to change a working configuration
> into a broken one.
> 

I think my current phrasing is bad.  Basically, we want to expand the possible identities allowed in the certificate to include the derived domain in addition to RFC6120's requirements.  I'll change the text to reflect that.

> 
> Section 5.1: What if the SRV records specify non-standard port numbers?
> Or does "not been delegated" mean the same thing as "missing SRV records"?
> 

For this section, "not been delegated" means "no SRV records".  I'll clarify that.

> 
> Section 5.2: What port number should the client use in the TLSA query?
> Should the setup be like this? (using a non-standard port for clarity)
> 
> _xmpp-client._tcp.im.example.com SRV 1 1 5555 im.example.com
> _5555._tcp.im.example.com TLSA ...
> 

In this particular case, I think we really do want the standard port 5222, e.g. "_5222._tcp.im.example.com".

> Note that it is very unlikely for the SRV to be insecure but the TLSA to
> be secure and therefore usable. Perhaps it would be simpler to specify
> that DANE can't be used if the SRV record is not secure.
> 

That would be easier.  I'll ponder on this more.

> 
> Section 5.3:
> 
> In this case the TLSA records should definitely be looked
> up using the port numbers specified in the SRV records.
> (That's what draft-ietf-dane-protocol section 3 says.)
> 

I can remove the text after "... then the TLS client SHOULD query for a TLSA resource record as described in [DANE]".


> The requirement to check the source domain if the TLSA records are
> missing conflicts with section 4.
> 

Good point; will remove in next revision.

> I wonder if there are situations where checking the source (as in 5.1)
> can conflict with checking the target (as in 5.3). We need to be sure
> that a service can easily change from one good configuration to
> another good configuration without accidentally passing through a bad
> configuration.
> 

I think the two can be treated as mutually exclusive without undo burden on implementations.

if   (source domain == derived domain) do 5.1
elif (source domain != derived domain) do 5.3

Not sure yet if it needs to explicitly stated anywhere, but I'll think more about it.

> 
> Section 5.4:
> 
> What is the point of omitting the name check in this case?
> Alternatively, what is the point of including the name check in the
> other DANE cases? My drafts say that name checks should still be
> performed in the usual way, the idea being that DANE leads to
> additional verification code paths rather than completely distinct
> code paths.
> 

My thinking was, if we got to this point, then the name in the certificate was no longer material.  The delegation by the source domain to the derived domain was already proved, and this check simply added a technicality to fail on.

However, it's not something I'm willing to fight for.  I can remove it unless there's a better suggestion.


Thanks again for the feedback!

- m&m

Matt Miller - <mamille2@cisco.com>
Cisco Systems, Inc.

v2.23.0 | Report a Bug | By Email