[dane] WGLC: DANE-SRV (Abstract and introduction feedback)
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 01 December 2014 03:30 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2823B1A039B for <dane@ietfa.amsl.com>; Sun, 30 Nov 2014 19:30:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_BACKHAIR_23=1] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKzxxDP_j-Im for <dane@ietfa.amsl.com>; Sun, 30 Nov 2014 19:30:11 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 129D21A034F for <dane@ietf.org>; Sun, 30 Nov 2014 19:30:10 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 5D650282FBC; Mon, 1 Dec 2014 03:30:09 +0000 (UTC)
Date: Mon, 01 Dec 2014 03:30:09 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141201033009.GI285@mournblade.imrryr.org>
References: <20141201013357.GF285@mournblade.imrryr.org> <547BC8F9.1070605@andyet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <547BC8F9.1070605@andyet.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/_ysCoPQVePfFBSFgL3tB-ejLi2w
Subject: [dane] WGLC: DANE-SRV (Abstract and introduction feedback)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 03:30:13 -0000
On Sun, Nov 30, 2014 at 06:48:41PM -0700, Peter Saint-Andre - &yet wrote: > >>http://tools.ietf.org/wg/dane/draft-ietf-dane-srv > > > >I have extensive comments throughout the document, but I don't know > >how to best process them. One comment-bomb message? > > Unfortunately, yes. [ I'm splitting it into a few messages to keep it manageable, and in any case some of my comments are still pencil marks on a print-out, not yet transcribed. ] This message covers that abstract and introduction. General comment: The draft frequently talks about "hostnames", where what is really meant is a transport endpoint (port, transport protocol, host). With PKIX-EE or DANE-EE certificate usages, TLSA records are more precise than the Web PKI and can associate different, non-interchangeable key material with distinct services on a single host. So in many places I will be suggesting replacing statements about "hostnames" with statements about "transport endpoints". 1. Abstract: General comment, not just certificates, but also public keys, or more simply "key material". The new version is also more compact. OLD: <t>The DANE specification (RFC 6698) describes how to use TLSA resource records in the DNS to associate a server's host name with its TLS certificate, where the association is secured with DNSSEC. However, application protocols that use SRV records (RFC 2782) to indirectly name the target server host names for a service domain cannot apply the rules from RFC 6698. Therefore this document provides guidelines that enable such protocols to locate and use TLSA records.</t> NEW: <t> The DANE specification (RFC 6698) describes how to use DNSSEC secured TLSA resource records to associate a transport endpoint with corresponding TLS key material. This document builds on RFC 6698 to specify DANE for application protocols that use SRV records (RFC 2782) to indirectly locate the transport endpoints associated with a given service at a service domain. </t> 2. Introduction first two paragraphs: Align with similar language in the abstract, deal with hostname versus transport endpoint. More concise. OLD: <t>The base DANE specification <xref target="RFC6698"/> describes how to use TLSA resource records in the DNS to associate a server's host name with its TLS certificate, where the association is secured using DNSSEC. That document "only relates to securely associating certificates for TLS and DTLS with host names" (see the last paragraph of section 1.2 of <xref target="RFC6698"/>).</t> <t>Some application protocols do not use host names directly; instead, they use a service domain, and the relevant target server host names are located indirectly via SRV records <xref target="RFC2782"/>. Because of this intermediate resolution step, the normal DANE rules specified in <xref target="RFC6698"/> cannot be applied to protocols that use SRV records. (Rules for SMTP <xref target='RFC5321'/>, which uses MX records instead of SRV records, are described in <xref target="I-D.ietf-dane-smtp-with-dane"/>.)</t> New: <t> The base DANE specification <xref target="RFC6698"/> describes how to use DNSSEC <xref target="RFC4033"/> secured TLSA resource records to associate a transport endpoint with corresponding TLS key material. Some application protocols locate transport endpoints indirectly via SRV records <xref target="RFC2782"/>. As a result of this indirection, the rules specified in <xref target="RFC6698"/> cannot be applied verbatim to protocols that use SRV records. (Rules for SMTP <xref target='RFC5321'/>, which uses MX records instead of SRV records, are described in <xref target="I-D.ietf-dane-smtp-with-dane"/>.) </t> 2. Introduction summary: The most notable clarification below is that TLS is only mandatory, for a given transport endpoint, when DNSSEC validated TLSA records are present, whether usable or not. If at least one record is usable, the peer must be authenticated. If referencing OPS creates timing difficulties, because (for some reason not clear to me) OPS is being held back relative to SMTP and SRV, detailed CNAME language can be found in the SMTP draft (modulo MX<->SRV substitution). Add to references: <!ENTITY I-D.ietf-dane-ops PUBLIC "" "http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dane-ops.xml"> OLD: <t>We rely on DNSSEC to secure the association between the service domain and the target server host names (i.e., the host names that are discovered by the SRV query).</t> <t>The TLSA records are located using the port, protocol, and target server host name fields (not the service domain).</t> <t>Clients always use TLS when connecting to servers with TLSA records.</t> <t>Assuming that the association is secure, the server's certificate is expected to authenticate the target server host name, rather than the service domain.</t> NEW: <t> We rely on DNSSEC to secure SRV records that map the desired service, transport protocol and service domain to corresponding target transport endpoints (i.e., the host names and ports that are returned in the SRV records). </t> <t> TLSA records for each transport endpoint are located using the target port, tranport protocol, and target host name. In particular, TLSA records are not located directly via the service domain. </t> <t> When DNSSEC validated TLSA records are published for a particular transport endpoint, and the endpoint supports both cleartext and TLS communication, clients SHOULD use TLS when connecting to that endpoint. </t> <t> When at least one TLSA record is usable, the server's certificate or public key MUST match at least one of the usable TLSA records. The primary reference identity for peername checks is the TLSA base domain (generally the target host name) with the service domain also supported for compatibility with legacy deployments. Additional acceptable peer names may arise as a result of CNAME expansion of either the service domain or (if supported) the target hostname. See <xref target="I-D.ietf-dane-ops"/> for details. </t> -- Viktor.
- Re: [dane] WGLC: DANE-SRV Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- [dane] WGLC: DANE-SRV (Abstract and introduction … Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Stephen Farrell
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Michael J. Sheldon
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Viktor Dukhovni
- [dane] WGLC: DANE-SRV (Terminology and "SRV Query… Viktor Dukhovni
- [dane] WGLC: DANE-SRV ("Address Queries" and "TLS… Viktor Dukhovni
- [dane] WGLC: DANE-SRV feedback on 3.4 through res… Viktor Dukhovni