IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Martin Rex <mrex@sap.com> Tue, 15 May 2012 20:08 UTC

Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B507011E8072 for <dane@ietfa.amsl.com>; Tue, 15 May 2012 13:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.089
X-Spam-Level:
X-Spam-Status: No, score=-10.089 tagged_above=-999 required=5 tests=[AWL=0.160, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTcUov+LFF1j for <dane@ietfa.amsl.com>; Tue, 15 May 2012 13:08:56 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id E331C11E80A3 for <dane@ietf.org>; Tue, 15 May 2012 13:08:55 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q4FK8sdN022621 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 15 May 2012 22:08:54 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201205152008.q4FK8rAx001987@fs4113.wdf.sap.corp>
To: ekr@rtfm.com (Eric Rescorla)
Date: Tue, 15 May 2012 22:08:53 +0200 (MEST)
In-Reply-To: <CABcZeBMgQR9kLn50fVxx8_kihr5ZvZ8PnhEoHbo9=25ZcQeoKw@mail.gmail.com> from "Eric Rescorla" at May 15, 12 10:05:46 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: paul.hoffman@vpnc.org, dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2012 20:08:56 -0000

Eric Rescorla wrote:
> 
> On Tue, May 15, 2012 at 10:04 AM, Martin Rex <mrex@sap.com> wrote:
> > Eric Rescorla wrote:
> >>
> >> On Tue, May 15, 2012 at 9:52 AM, Martin Rex <mrex@sap.com> wrote:
> >> > And as a fallback, browsers could use a TLSA & server-cert lock, i.e.
> >> > memorizing information from the last visit of a site and using that
> >> > to perform server endpoint identification in case that DNSSEC lookups
> >> > fail when roaming.
> >>
> >> At which point it's hard to understand how this is better than cert pinning
> >> via HSTS.
> >
> > Such a TLSA & server-cert lock is supposed to be transient substitute for
> > the lack of DNSSEC connectivity.  That memorized information will need
> > to be updated whenever full DNSSEC connectivity is available.
> 
> And the HSTS information can be updated whenever you go to the server.

But the HSTS has a clear hen-and-edd problem:  You can _only_ get updates
when the verification based on the previous information is still possible,
otherwise your browser will not establish the communication channel that
is a pre-requisite to obtain the updated information.

To me it looks like it will be pretty easy to lock yourself out, since
you have no influence about how frequently the client accesses a site.
(that is like replicating the DNS root key rollover problem for every
single site).

-Martin

v2.8.7 | Report a Bug | By Email