IETF Logo Mail Archive

Re: [dane] provisioning assumptions, was PGP security models, was Summary

Paul Wouters <paul@nohats.ca> Tue, 22 September 2015 20:47 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2E2B1B2DDA for <dane@ietfa.amsl.com>; Tue, 22 Sep 2015 13:47:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsH_tMoXo03k for <dane@ietfa.amsl.com>; Tue, 22 Sep 2015 13:47:24 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 965591B2DD9 for <dane@ietf.org>; Tue, 22 Sep 2015 13:47:24 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3nLF7X50YZz3QZ for <dane@ietf.org>; Tue, 22 Sep 2015 22:47:20 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=XD4bXteS
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id BTyyoG5PB9ZF for <dane@ietf.org>; Tue, 22 Sep 2015 22:47:19 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dane@ietf.org>; Tue, 22 Sep 2015 22:47:19 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 97719800AD for <dane@ietf.org>; Tue, 22 Sep 2015 16:47:18 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1442954838; bh=o9UP9LH5lwavLR7txjN3hEs20nnwF4qNv93pc9F2iok=; h=Date:From:To:Subject:In-Reply-To:References; b=XD4bXteS/8zFGelyv15jA00wP0FZd1IQ18oVJiOMJlAnEnDzAE3cpandcL/RLZXN2 jpE88YOZgQOjXO5oP3LGOIpiJ08ej88FCBmSgvbpRvkPnTe0mEKtnHiyfX+rTp+DY7 UieUo0psRkFMyWrdGld3DPS1LUeSHUuMlKgE60Dk=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id t8MKlIBv030834 for <dane@ietf.org>; Tue, 22 Sep 2015 16:47:18 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 22 Sep 2015 16:47:18 -0400
From: Paul Wouters <paul@nohats.ca>
To: dane WG list <dane@ietf.org>
In-Reply-To: <20150922201124.4334.qmail@ary.lan>
Message-ID: <alpine.LFD.2.20.1509221642410.30047@bofh.nohats.ca>
References: <20150922201124.4334.qmail@ary.lan>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/qYRh4ls7HnqcTAuBDHnKs3vyyuE>
Subject: Re: [dane] provisioning assumptions, was PGP security models, was Summary
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 20:47:26 -0000

On Tue, 22 Sep 2015, John Levine wrote:

> Also, this introduces a downgrade attack.  User creates a key, gets
> lots of WoT signatures, publishes it through key servers and DANE.
> Bad guy takes over the account, publishes a new key with no
> signatures.  According to sec 5.2 of the draft, a mail sender looks up
> the key, finds they disagree, and the verification fails.  Now what?
> The draft suggests dumping the question on the MUA user, which we know
> is never a good idea.  As likely as not a naive user would pick the
> newer key, the one that says "USE THIS KEY OLD ONE WAS STOLEN."

The attacker already receives all email to the stolen account. And can
reset all services that require only email verification for a password
reset. This is pretty identical to the situation where you do not use
DNS and the attacker takes over the email account and mails all address
book entries a new PGP key.

If encryption is required for life saving, and you are confronted with a
new key, then you better check either with the person or at the minimum
check it was signed with the old known key. The fact that you pull a
new key from DNS versus a new key from a keyserver is irrelevant to
this.

> Finally, if the problem with existing key servers is that they won't
> delete dead keys, that does not strike me as an insoluble problem.
> Talk to the people who run them

Please do. But it is out of scope for this draft that is specifying
a different method of publishing your openpgp keys.

> and we're all done.

That's your goal, not the goal of the dane working group when they
adopted this draft.

Paul

v2.23.0 | Report a Bug | By Email