[dane] Digest algorithm agility (possible discussion topic for: Informal lunch meeting in Vancouver on Thursday)

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 04 November 2013 22:32 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3703711E8185 for <dane@ietfa.amsl.com>; Mon, 4 Nov 2013 14:32:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id pnkUlfF0b197 for <dane@ietfa.amsl.com>; Mon, 4 Nov 2013 14:32:28 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org []) by ietfa.amsl.com (Postfix) with ESMTP id 4BEA111E81ED for <dane@ietf.org>; Mon, 4 Nov 2013 14:32:26 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 751462AB125; Mon, 4 Nov 2013 22:32:19 +0000 (UTC)
Date: Mon, 04 Nov 2013 22:32:19 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131104223219.GP2976@mournblade.imrryr.org>
References: <68F7E418-B6F1-46C2-9344-00BB6102D940@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <68F7E418-B6F1-46C2-9344-00BB6102D940@vpnc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] Digest algorithm agility (possible discussion topic for: Informal lunch meeting in Vancouver on Thursday)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 22:32:34 -0000

On Mon, Nov 04, 2013 at 11:08:46AM -0800, Paul Hoffman wrote:

> If you're at the Vancouver IETF meeting and want to talk about
> DANE, hold the date.

Though I am not attending the Vancouver IETF meeting, I am interested
in feedback on the below DANE-related issue:

    - Suppose some day we discover that SHA256 is flawed and is
      subject to effective second-preimage attacks.

    - Suppose that hypothetically SHA512 remains secure.

    - How would clients and servers gracefully cut-over to only
      use SHA512 and avoid SHA256?

My proposal is as follows:

When a TLSA RRset contains multiple RRs of the form:

	_<port>._tcp.server.example.com. IN TLSA <U> <S> <M> <D>

with the same values of "U" and "S" but different values of the
matching type, a client MAY ignore a "weaker" matching type
(deprecated digest algorithm) when a "stronger" matching type for
the same usage and selector is present.  Which matching types are
considered "weaker" is generally at the client's discretion.


    Avoid algorithm switch flag days.  Once a widely used digest
    algorithm is deemed no longer robust, servers continue to
    include it in their TLSA records along with stronger digests.
    Correctly configured clients use only the stronger digests and
    are not exposed to the flaws of weaker algorithms.  Eventually,
    (once few clients remain that don't support strong digests)
    servers stop including weak digests in their TLSA RRsets.


    - TLSA records that specify multiple certificates or public
      keys for a single (U,S) combination (e.g. multiple trust
      anchors, or multiple EE certificates during key roll-over)
      MUST use the same set of matching types for all of them!

      Otherwise, clients may fail to support one of the desired
      certificates, when they choose to support only the RRs with
      the strongest matching type.

    - Changes in the mixture of matching types (digest algorithms)
      used in a given TLSA RRset should be made when the set of
      keys is stable.  In other words, do either key rotation or
      change of digest algorithms, but not both at the same time.

      (Recall, that with key rotation, one must publish TLSA RRs
      for new keys before they are deployed in the field, as clients
      may for a short time see only the old RRs due to DNS caching).


    - Clients always accept all supported digests, without pruning
      for the strongest.

    - But then there is no good way to obsolete an algorithm, a
      server publishing a "weaker" digest exposes all clients
      risk.  A server publishing only the strongest digests risks
      not interoperating with many clients (flag day).

    - To avoid flag days, we need multiple strong *mandatory* to
      implement digest algorithms, and rely on them not all failing
      at the same time.

    - At this time RFC 6698 only mandates SHA256, so we don't have
      digest algorithm agility.