Re: [dane] Behavior in the face of no answer?

[Eric Rescorla <ekr@rtfm.com>]

On Fri, May 4, 2012 at 4:29 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> On Thu, May 03, 2012 at 08:18:41PM -0700, Eric Rescorla wrote:
>>
>> While I understand that these operational constraints, I'm having
>> trouble understanding what security benefit DANE offers if one behaves
>> as you suggest, since it seems the attacker can simply force you to
>> ignore any records that DANE provides.
>
> As a client, you could be making a decision about what is more likely:
>
>    1.  The attacker is able to undermine some CA.
>
>    2.  The attacker is actually on-path and going to undermine my
>    connection.

I'm confused by this answer: DANE (for the two constraints modes)
only offers security value if *both* of these things are true. If the
first is not true, then a PKIX certificate is sufficient to distinguish
between valid users and attackers and in the second is not true,
then even an attacker with an invalid certificate cannot get
your packts.

> In many cases, one might decide that (1) is more likely than (2), and
> therefore decide that TLSA is a better thing to rely on.  During
> deployment, however, one might be willing to think that (1) is less
> likely than, "I am in a coffee shop, and these people bought crappy
> infrastructure."  In that case, one might want to be able to fall back
> to the way we actually do this today.

Again, this is logical, but as far as I can tell it obviates the security
provided by DANE. I'd like to repeat the question I asked in my
previous message: can you describe a set of attacker capabilities
which would be sufficient for an attacker to mount a successful
attack on TLS pre-DANE but would not post-DANE, provided
that clients react to TLSA non-response by falling back to pre-DANE
behavior?

Thanks,
-Ekr