IETF Logo Mail Archive

Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys

Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 03 June 2014 13:08 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA5E81A01F6 for <dane@ietfa.amsl.com>; Tue, 3 Jun 2014 06:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubTyO1JYfIEf for <dane@ietfa.amsl.com>; Tue, 3 Jun 2014 06:08:50 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 102D31A026D for <dane@ietf.org>; Tue, 3 Jun 2014 06:08:46 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 167B52AABD5; Tue, 3 Jun 2014 13:08:40 +0000 (UTC)
Date: Tue, 03 Jun 2014 13:08:40 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140603130839.GY27883@mournblade.imrryr.org>
References: <201405290805.s4T85HBT008757@new.toad.com> <76254E90-245A-4502-AFBE-74A3038BB08F@vpnc.org> <OFB1999EAD.836E27A5-ON85257CE8.0067D557-85257CEB.000B5F5E@us.ibm.com> <20140602022733.GK27883@mournblade.imrryr.org> <538C86C7.8000805@cs.tcd.ie> <20140602145215.GP27883@mournblade.imrryr.org> <20140602172922.GS27883@mournblade.imrryr.org> <alpine.LFD.2.10.1406030056500.19868@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1406030056500.19868@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/q7I0cmeMdsyOiyOqz70lioHwNdM
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jun 2014 13:08:53 -0000

On Tue, Jun 03, 2014 at 01:04:55AM -0400, Paul Wouters wrote:

> On Mon, 2 Jun 2014, Viktor Dukhovni wrote:
> 
> >In whatever document ends up publishing the details,  I would say:
> >
> >   TLS clients that support out of band public keys ([TLS WG
> >   document reference]) authenticated via DANE TLSA records SHOULD
> >   NOT employ the "oob public key" TLS extension unless all the
> >   server's TLSA records are compatible with out of band public
> >   keys.  The client SHOULD send an SNI extension with the server's
> >   TLSA base domain even if it is willing or expecting to use out
> >   of band public keys.
> 
> Again, I don't see why. If there is one TLSA record that matches the
> public key of the server, that's good enough. If you do any kind of TLS
> key rollover, the TLS admin better pre-publish the proper TLSA records.

Suppose the only one that does is a "DANE-TA(2) Cert(0) SHA2-256(1)".
What then?

	; transition state when updating DNS records prior to new
	; key deployment.
	;
	example.com IN TLSA 3 1 1 {recent past blob}
	example.com IN TLSA 2 0 1 {current blob}

A client that negotiates "oob public key" in this state fails to
authenticate the server.

> Saying that all TLSA records should be of a type compatible with oob
> serves no purpose and could hinder deploymentment of oob TLS.

Obviously I have a purpose in mind, for some reason it is not
getting through.  I think some others have understood, perhaps they
can have a crack at explaining it to you.

> If a TLS client local policy prefers oob, and it finds only non-oob
> compatible TLSA records, it could omit using oob to prevent issues.
> But I don't think that is a MUST.

We can quibble over MUST vs. SHOULD.  However, and especially
because the point appears to be non-obvious to many, experts
included, it needs to be made.  ALL the TLSA records need to be "3
1 X", possibly also "3 0 0", or else the client SHOULD skip "oob".

> >   Servers that support "oob public key" MAY employ SNI to select
> >   the correct public key, either by identifying a matching
> >   certificate from which to extract the key, or via some other
> >   mapping from the requested domain to the corresponding key.
> 
> I do not see why we need to drag SNI into this. How is SNI different for
> bare keys versus certificates?

It isn't.  I just wanted to spell it out.  DANE clients send SNI, even
if when they use "oob public key".  As in my reply to John Gilmore, if
everyone agrees this is obvious, it is not essential (but harmless, no?).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email