[dane] Digest algorithm agility (possible discussion topic for: Informal lunch meeting in Vancouver on Thursday)
Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 04 November 2013 22:32 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3703711E8185 for <dane@ietfa.amsl.com>; Mon, 4 Nov 2013 14:32:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnkUlfF0b197 for <dane@ietfa.amsl.com>; Mon, 4 Nov 2013 14:32:28 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEA111E81ED for <dane@ietf.org>; Mon, 4 Nov 2013 14:32:26 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 751462AB125; Mon, 4 Nov 2013 22:32:19 +0000 (UTC)
Date: Mon, 04 Nov 2013 22:32:19 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131104223219.GP2976@mournblade.imrryr.org>
References: <68F7E418-B6F1-46C2-9344-00BB6102D940@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <68F7E418-B6F1-46C2-9344-00BB6102D940@vpnc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] Digest algorithm agility (possible discussion topic for: Informal lunch meeting in Vancouver on Thursday)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 22:32:34 -0000
On Mon, Nov 04, 2013 at 11:08:46AM -0800, Paul Hoffman wrote: > If you're at the Vancouver IETF meeting and want to talk about > DANE, hold the date. Though I am not attending the Vancouver IETF meeting, I am interested in feedback on the below DANE-related issue: - Suppose some day we discover that SHA256 is flawed and is subject to effective second-preimage attacks. - Suppose that hypothetically SHA512 remains secure. - How would clients and servers gracefully cut-over to only use SHA512 and avoid SHA256? My proposal is as follows: When a TLSA RRset contains multiple RRs of the form: _<port>._tcp.server.example.com. IN TLSA <U> <S> <M> <D> with the same values of "U" and "S" but different values of the matching type, a client MAY ignore a "weaker" matching type (deprecated digest algorithm) when a "stronger" matching type for the same usage and selector is present. Which matching types are considered "weaker" is generally at the client's discretion. Rationale: Avoid algorithm switch flag days. Once a widely used digest algorithm is deemed no longer robust, servers continue to include it in their TLSA records along with stronger digests. Correctly configured clients use only the stronger digests and are not exposed to the flaws of weaker algorithms. Eventually, (once few clients remain that don't support strong digests) servers stop including weak digests in their TLSA RRsets. Consequences: - TLSA records that specify multiple certificates or public keys for a single (U,S) combination (e.g. multiple trust anchors, or multiple EE certificates during key roll-over) MUST use the same set of matching types for all of them! Otherwise, clients may fail to support one of the desired certificates, when they choose to support only the RRs with the strongest matching type. - Changes in the mixture of matching types (digest algorithms) used in a given TLSA RRset should be made when the set of keys is stable. In other words, do either key rotation or change of digest algorithms, but not both at the same time. (Recall, that with key rotation, one must publish TLSA RRs for new keys before they are deployed in the field, as clients may for a short time see only the old RRs due to DNS caching). Alternative: - Clients always accept all supported digests, without pruning for the strongest. - But then there is no good way to obsolete an algorithm, a server publishing a "weaker" digest exposes all clients risk. A server publishing only the strongest digests risks not interoperating with many clients (flag day). - To avoid flag days, we need multiple strong *mandatory* to implement digest algorithms, and rely on them not all failing at the same time. - At this time RFC 6698 only mandates SHA256, so we don't have digest algorithm agility. -- Viktor.
- [dane] Informal lunch meeting in Vancouver on Thu… Paul Hoffman
- Re: [dane] Informal lunch meeting in Vancouver on… Matt Miller (mamille2)
- Re: [dane] Informal lunch meeting in Vancouver on… Paul M
- Re: [dane] Informal lunch meeting in Vancouver on… Peter Saint-Andre
- Re: [dane] Informal lunch meeting in Vancouver on… Warren Kumari
- Re: [dane] Informal lunch meeting in Vancouver on… Peter Saint-Andre
- Re: [dane] Informal lunch meeting in Vancouver on… Yoav Nir
- Re: [dane] Informal lunch meeting in Vancouver on… Stephen Farrell
- Re: [dane] Informal lunch meeting in Vancouver on… Dan York
- Re: [dane] Informal lunch meeting in Vancouver on… Ondřej Surý
- Re: [dane] Informal lunch meeting in Vancouver on… Sean Leonard
- [dane] Digest algorithm agility (possible discuss… Viktor Dukhovni
- Re: [dane] Informal lunch meeting in Vancouver on… Wes Hardaker
- Re: [dane] Informal lunch meeting in Vancouver on… Paul Hoffman
- Re: [dane] Informal lunch meeting in Vancouver on… Viktor Dukhovni
- Re: [dane] Informal lunch meeting in Vancouver on… Viktor Dukhovni
- Re: [dane] Informal lunch meeting in Vancouver on… Peter Saint-Andre
- Re: [dane] Informal lunch meeting in Vancouver on… Wes Hardaker
- Re: [dane] Informal lunch meeting in Vancouver on… Paul Wouters
- Re: [dane] Informal lunch meeting in Vancouver on… Olafur Gudmundsson
- Re: [dane] Digest algorithm agility (possible dis… Matt McCutchen
- Re: [dane] Informal lunch meeting in Vancouver on… Daniel Migault
- Re: [dane] Informal lunch meeting in Vancouver on… Dickson, Brian
- Re: [dane] Informal lunch meeting in Vancouver on… Anton Baskov
- Re: [dane] Digest algorithm agility (possible dis… Viktor Dukhovni
- Re: [dane] Digest algorithm agility (possible dis… Matt McCutchen
- Re: [dane] Digest algorithm agility (possible dis… Viktor Dukhovni
- Re: [dane] Digest algorithm agility (possible dis… Viktor Dukhovni