IETF Logo Mail Archive

Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys

Olafur Gudmundsson <ogud@ogud.com> Wed, 04 June 2014 02:19 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A66D1A0180 for <dane@ietfa.amsl.com>; Tue, 3 Jun 2014 19:19:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iju3yGCEmcR3 for <dane@ietfa.amsl.com>; Tue, 3 Jun 2014 19:19:30 -0700 (PDT)
Received: from smtp92.ord1c.emailsrvr.com (smtp92.ord1c.emailsrvr.com [108.166.43.92]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBF801A017A for <dane@ietf.org>; Tue, 3 Jun 2014 19:19:29 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp4.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 96193140C96; Tue, 3 Jun 2014 22:19:23 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp4.relay.ord1c.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 40BE9140C94; Tue, 3 Jun 2014 22:19:22 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <201405290805.s4T85HBT008757@new.toad.com>
Date: Tue, 03 Jun 2014 22:19:20 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <08E92113-6C1F-4BD3-8846-4B117FA1AC1E@ogud.com>
References: <201405290805.s4T85HBT008757@new.toad.com>
To: John Gilmore <gnu@toad.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/qu5DyDX6W7HfO7wUmTrcHI3D0Y0
Cc: dane@ietf.org
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2014 02:19:33 -0000

John, 
Sorry for the top posting of our main arguments. 
RFC7250 has shipped, please do not hold up the publication. 
We need a quick turnaround to address the issues you identified below. 

As Wes Hardaker commented in a later message we have an “Dane uses and fixes” document in the
queue and adding this to it is appropriate. (dane-ops) 
<more comments inline plan at the bottom> 

On May 29, 2014, at 4:05 AM, John Gilmore <gnu@toad.com> wrote:

> The TLS Working Group is in the final stages of approving RFC 7250,
> "Using Raw Public Keys in TLS/DTLS":
> 
>  https://www.rfc-editor.org/authors/rfc7250.txt
> 
> The draft modifies the TLS protocol to allow clients and servers to
> negotiate and exchange types of authentication material other than
> PKIX certificate chains, and defines a format for exchanging a raw
> public key.  These public keys are authenticated "out of band",
> outside the TLS protocol, for example by prior administration (in some
> Internet-of-Things cases), or by the use of DANE.  Paul Wouters was
> the main author, and the protocol and document were significantly
> improved by several co-authors from the TLS WG.
> 
> In reviewing the draft, I noticed that it doesn't ever describe how
> you store such a public key in a TLSA record.  And the TLSA RFC 6698
> explicitly specifies that TLSA records can ONLY store PKIX
> certificates!  The relevant sections are:
> 
> RFC 6698 Sec. 1.3:
> 
>   This document only applies to PKIX [RFC5280] certificates, not
>   certificates of other formats.

This is a major change and specifying how to do other certificate types 
should go through the normal standards process. 
DANE WG is happy to take that on, and this should be processed before we go on to DANE-bis document. 

> 
> RFC 6698 Sec. 2.1.1:
> 
>   The certificate usages defined in this document explicitly only apply
>   to PKIX-formatted certificates in DER encoding [X.690].  If TLS
>   allows other formats later, or if extensions to this RRtype are made
>   that accept other formats for certificates, those certificates will
>   need their own certificate usage values.
> 
> I remember fighting this fight in the DANE WG, and the result was
> something along the lines of "We'll narrow the RFC now, and then
> if-and-when raw public keys are approved by the TLS WG, then we'll
> amend it to include them."  Well, the time has come.  Raw public keys
> are approved by the TLS WG.  The trouble is that nobody has bothered
> to amend the TLSA RFC, so the new draft RFC tells people "just use
> DANE", but the DANE TLSA RFC says, "No you can't”.

Lets fix this, based on experience!

> 
> I propose to add some text to the draft RFC 7250 that extends RFC 6698
> by defining how raw public keys are stored in TLSA records.

In the chairs opinion that is a bad idea. 

> 
> My coauthors seem to prefer that we just ignore the entire issue,
> issue RFC 7250, and ignore the conflict between the two.  As someone
> who learned most of what I know about protocols (and the Internet)
> from reading Saint Jon Postel's clearly written RFCs, I would hate to
> inflict that on future readers.  We should not release documents that
> contain deliberate incompatabilities.

We wish that this had been detected sooner and a corresponding document was in 
the publication queue, we are willing to commit to get this fix ASAP. 

> 
> We think RFC 7250 is ready to go except for this remaining issue.  It
> has been approved by the TLS WG, the IESG, the RFC Editor, and all the
> co-authors but me.
> 
> Here's my proposed wording change for RFC 7520.  Improvements welcome.
> Start from this version:
> 
>  https://www.rfc-editor.org/authors/rfc7250.txt
> 
> Section 4.4.
> OLD (entire section):
>   When the TLS server has specified RawPublicKey as the
>   server_certificate_type, authentication of the TLS server to the TLS
>   client is supported only through authentication of the received
>   client SubjectPublicKeyInfo via an out-of-band method.
> 
> NEW (entire section):
>   When the TLS server has specified RawPublicKey as the
>   server_certificate_type, authentication of the TLS server to the TLS
>   client is supported only through authentication of the received
>   client SubjectPublicKeyInfo via an out-of-band method.
> 
>   In order to support out-of-band authentication via DANE [RFC6698],
>   this document extends the DANE TLSA record definition to allow such
>   records to describe raw public keys as well as PKIX [RFC5280]
>   certificates.  This extension does not define any new field values;
>   it merely defines how existing fields are processed when being
>   matched to raw public keys provided by TLS servers.
> 
>   A raw public key is represented in a TLSA record by specifying a
>   certificate usage of 3 (domain-provided), a selector of 1
>   (SubjectPublicKeyInfo), and a matching type of 0.  The
>   SubjectPublicKeyInfo that holds the public key is placed in the
>   certificate association data.  Matching types other than 0 may also
>   be used, by placing the corresponding hash value into the
>   certificate association data.
> 
>   DANE [RFC6698] section 1.3 is extended to say:
> 
>      This document only applies to raw public keys and to PKIX
>      [RFC5280] certificates, not certificates of other formats.
> 
>   DANE section 2.1.1 is extended to say:
> 
>      The certificate usages 0, 1 and 2 defined in this document
>      explicitly only apply to PKIX-formatted certificates in DER
>      encoding [X.690].  If TLS allows other formats later, or if
>      extensions to this RRtype are made that accept other formats for
>      certificates, those certificates will need their own certificate
>      usage values.
> 
>   In DANE section 2.1.1, in addition to the definition of certificate
>   usage 3 with TLS servers that use PKIX certificates, certificate
>   usage 3 may also be used with TLS servers that use raw public keys:
> 
>      3 -- Certificate usage 3 is also used to specify a raw public key
>      that MUST match the raw public key presented by the server in
>      TLS.  When the TLS server provides a raw public key, there is no
>      PKIX certificate and no PKIX validation is done; the TLS
>      server's raw public key MUST match the raw public key provided in
>      the TLSA record.  This certificate usage is sometimes referred
>      to as "domain-issued" because it allows a domain administrator
>      to directly certify a domain's public keys.
> 
> I believe that this wording reflects the up-to-now tacit consensus on
> how the DANE WG expects TLS raw public keys to be represented and
> processed in TLSA records.  In the absence of significant dissent or
> further improvements, I propose to provide the above updates to the
> RFC Editor and release the new RFC.
> 
> 	John

We think this text is a good starting point, for the OPS document that will update RFC6698

The plan we propose is publish RFC7250 and push the fix out no later than right after the
IETF meeting in Toronto. 

	Olafur & Warren

v2.23.0 | Report a Bug | By Email