Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt

Viktor Dukhovni <> Mon, 17 February 2014 18:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 97A451A0239 for <>; Mon, 17 Feb 2014 10:15:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7XTJkpTtInqO for <>; Mon, 17 Feb 2014 10:15:38 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 6C8E91A0207 for <>; Mon, 17 Feb 2014 10:15:38 -0800 (PST)
Received: by (Postfix, from userid 1034) id D10C02AB254; Mon, 17 Feb 2014 18:15:33 +0000 (UTC)
Date: Mon, 17 Feb 2014 18:15:33 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Feb 2014 18:15:41 -0000

On Mon, Feb 17, 2014 at 02:30:57PM +0100, Martin Rex wrote:

> > Having actually implemented a complete DANE verifier, I can assure
> > you that there will be very few applications indeed that attempt
> > to do this.
> A number of TLS protocol implementations come with utility functions
> to make the task easier for applications to consume TLS.

We should not descend into a scholastic debate of the fine details
of where the boundary lies between "TLS engine code" and library
code that performs related functions on behalf of the application.

Both TLS protocol processing and certificate trust chain verification
a la DANE, will need to be provided by a complete SSL/TLS toolkit
to enable its applications to employ DANE.  DANE will require
various changes in those toolkits, some of those might be in the
protocol engine some in the related functions.

This said, my intention with DANE-EE(3) semantics is not necessarily
to preempt various features of the EE certificate that are not
covered by the TLSA record.  Rather, my goal was to make sure that
the TLSA record content is not trumped the content of the certificate
(whose signer is not even trusted since we're not checking any PKIX
trust chain).

We've already agreed that name checks are more than adequately
handled by the implied binding with the port, protocol and server
name in the TLSA base domain.

Beyond that, I'd like to make sure that also the validity interval
is from DNSSEC (no sudden failure so long the DNS zone continues
to publish a matching TLSA RR).  Similarly, RFC 5280 extended Key
Usage (sequence of KeyPurposeId) is superseded by the RRtype (TLSA)
to imply an acceptable purpose of id-kp-serverAuth.

So I can live with a weaker requirement, if that settles the issue.
With DANE-EE(3):

    - No PKIX signature verification.  Covered by TLSA association
      data field, and in any case we don't have a trusted issuer
      whose signature can be checked.  [ Obvious. ]

    - No name checks based on certificate content.  Covered
      by TLSA (service, protocol, base domain) triple.  [ Already agreed. ]

    - No expiration checks based on certificate content.  Covered
      by TLSA RRset's RRSIG expiration time.	[ Still under discussion. ]

    - No purpose checks based on extended key usage.  Covered by
      TLSA RRtype.	[ Still under discussion. ]

If there are other elements of the certificate potentially relevant
to the TLS protocol engine, any related functions or the application,
I can live with that.

It was my purpose to make the requirement as simple as possible,
and ignoring everything in the certificate is much simpler to
state than ignoring a subset.

In particular I have no objection to TLS protocol engines complying
with the keyUsage bits from:

Of the two "Still under discussion" fields, the expiration is by
far the most important for the operational success of DANE.  By
far the most common problem is expired certificates, and with
DANE-EE(3), we have an opportunity to eliminate this problem.
There is no more expiration, rather TLSA records are withdrawn from
DNS by the server operator once the certificate is no longer
appropriate (for whatever reason).  

The server operator should of course audit deployed certificates
and may use the expiration date as a reminder to rotate keys, but
with DANE-EE(3) I think it makes much more sense to leave the timing
of key rotation to the server operator, not the client.