IETF Logo Mail Archive

Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys

Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 04 June 2014 02:55 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6F7C1A0027 for <dane@ietfa.amsl.com>; Tue, 3 Jun 2014 19:55:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0aaEewijiKUE for <dane@ietfa.amsl.com>; Tue, 3 Jun 2014 19:55:42 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C90AC1A0023 for <dane@ietf.org>; Tue, 3 Jun 2014 19:55:41 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 47E702AAB4F; Wed, 4 Jun 2014 02:55:35 +0000 (UTC)
Date: Wed, 04 Jun 2014 02:55:35 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140604025535.GJ27883@mournblade.imrryr.org>
References: <201405290805.s4T85HBT008757@new.toad.com> <76254E90-245A-4502-AFBE-74A3038BB08F@vpnc.org> <OFB1999EAD.836E27A5-ON85257CE8.0067D557-85257CEB.000B5F5E@us.ibm.com> <20140602022733.GK27883@mournblade.imrryr.org> <538C86C7.8000805@cs.tcd.ie> <20140602145215.GP27883@mournblade.imrryr.org> <20140602172922.GS27883@mournblade.imrryr.org> <alpine.LFD.2.10.1406030056500.19868@bofh.nohats.ca> <20140603130839.GY27883@mournblade.imrryr.org> <m3ppip5s57.fsf@carbon.jhcloos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m3ppip5s57.fsf@carbon.jhcloos.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/pZoYeeOv3_XjNUL5negbq2uy6Fo
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2014 02:55:53 -0000

On Tue, Jun 03, 2014 at 10:23:39PM -0400, James Cloos wrote:

> VD> Suppose the only one that does is a "DANE-TA(2) Cert(0) SHA2-256(1)".
> VD> What then?
> 
> The oob requesting client aborts.  And, perhaps, tries again w/o oob.
> 
> Or, if the client also groks oob-via-ldap, it uses the ldap info instead
> of the tlsa.
> 
> I know (based on your posts) that you don't like that as a possible outcome.  
> But for many it is not a big deal.

Authentication unnecessarily failing is indeed a big deal.  There isn't
always a user to click OK, and stateful fallback is a pain to get right
and opens up opportunities for downgrade attacks.

Unreliable authentication protocols that fail even when both sides
are doing everything right are broken by design.

Needless corner cases need to be rounded out.  I am willing to say
"SHOULD" rather than MUST, but otherwise, I am not giving up without
a better argument than "IETF security protocols sport broken corner
case by design" and we're used to it.  Just like we're used to
broken implementations I guess.  I am from a design and implementation
culture where we do it well, or not at all.

The onus to get this corner case avoided needs to be either on the
client or on the server.  The client-side solution is simpler:

    * Avoid "oob public key" negotiation when authentication is
      via DANE and TLSA records may require a full certificate.

The server-side solution is more complex:

    * When publishing any "3 1 X" TLSA records, always publish
      records that match the current leaf keys.  When transitioning
      to/from "3 1 X" TLSA RRs to other usage/selector pairs, change
      one thing at a time.  Either change the keys while keeping
      the set of usage/selector pairs fixed (publishing these for
      both new and old keys during the transition), or else keep
      the keys fixed and publish both new and old usage/selector
      combinations during the transition.

If the group strongly prefers the server-side approach, speak up.
Silence on the issue leads to security protocol implementations
that break for no good reason for a multiple of the TLSA RR TTL.

The OPS draft needs to advise the use of either or both of the
above approaches.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email