IETF Logo Mail Archive

Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 15 January 2015 22:49 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AC931A90A1 for <dane@ietfa.amsl.com>; Thu, 15 Jan 2015 14:49:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CtLCd-ZI9533 for <dane@ietfa.amsl.com>; Thu, 15 Jan 2015 14:48:58 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EC331A9090 for <dane@ietf.org>; Thu, 15 Jan 2015 14:48:58 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1F27E284B0A; Thu, 15 Jan 2015 22:48:57 +0000 (UTC)
Date: Thu, 15 Jan 2015 22:48:57 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150115224856.GG29286@mournblade.imrryr.org>
References: <201501152224.t0FMOoCl025516@new.toad.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201501152224.t0FMOoCl025516@new.toad.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/gyfKUCFEQDiC9VhcFRRJlz1NbQg>
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 22:49:01 -0000

On Thu, Jan 15, 2015 at 02:24:50PM -0800, John Gilmore wrote:

> It has been seven months since the DANE WG "adopted" my very short
> draft that repealed the CA-motivated anti-interoperability
> prohibitions in RFC 6698 and simply specified how DANE authenticates
> or publishes raw public keys.  Therefore, the draft has expired.  In
> the meantime, as far as I can tell, nothing has been done.

The dane-ops draft in section 5.1 specifically extends the semantics
of "3 1 X" to cover RPK.  (The reference to the RPK draft needs to
be updated to reference the published RFC).

    http://tools.ietf.org/html/draft-ietf-dane-ops-07#section-12

       *  In Section 5.1 we update [RFC6698] to specify peer identity
	  matching and certificate validity interval based solely on the
	  basis of the TLSA RRset.  We also specify DANE authentication of
	  raw public keys [I-D.ietf-tls-oob-pubkey] via TLSA records with
	  Certificate Usage DANE-EE(3) and selector SPKI(1).

If the text in section 5.1 of that document needs to say more, or
to be phrased differently, patches (to the XML please) welcome.

This group moves slowly.  I wish it were otherwise, but it seems
that working on DANE is nobody's day-job.

> All the urgency to actually solve this problem evaporated as soon as I
> allowed RFC 7250 to issue despite containing no text that addressed
> this problem.  I was assured by my friend Olafur and my colleagues
> Warren and Stephen, the people in authority over this working group
> and this whole security area, that they would address the issue "ASAP"
> if I would just follow their recommended procedures.  Yet it did not
> happen.
> 
> I did it the way you-all recommended, and nothing got done.  So the
> self-serving CA lobby won (delay is a win), and the NSA won (delay is
> a win for them too), and the public lost.
> 
> Where do we go from here?

Perhaps it is time to move the OPS draft into LC, now that the SMTP
and SRV drafts have had their turn.  (And perhaps time to move
those into IETF last call).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email