Re: [dane] Servers which offer RPK but have no TLSA records for that key
John Gilmore <gnu@toad.com> Thu, 05 June 2014 22:27 UTC
Return-Path: <gnu@toad.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24E2B1A0273 for <dane@ietfa.amsl.com>; Thu, 5 Jun 2014 15:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.102
X-Spam-Level:
X-Spam-Status: No, score=-1.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-0.651] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NG92qFhJobzZ for <dane@ietfa.amsl.com>; Thu, 5 Jun 2014 15:27:26 -0700 (PDT)
Received: from new.toad.com (new.toad.com [209.237.225.253]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 526CF1A00FE for <dane@ietf.org>; Thu, 5 Jun 2014 15:27:26 -0700 (PDT)
Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id s55MREBT016220; Thu, 5 Jun 2014 15:27:14 -0700
Message-Id: <201406052227.s55MREBT016220@new.toad.com>
To: James Cloos <cloos@jhcloos.com>
In-reply-to: <m3bnu93yzc.fsf@carbon.jhcloos.org>
References: <201405290805.s4T85HBT008757@new.toad.com> <76254E90-245A-4502-AFBE-74A3038BB08F@vpnc.org> <OFB1999EAD.836E27A5-ON85257CE8.0067D557-85257CEB.000B5F5E@us.ibm.com> <20140602022733.GK27883@mournblade.imrryr.org> <538C86C7.8000805@cs.tcd.ie> <20140602145215.GP27883@mournblade.imrryr.org> <20140602172922.GS27883@mournblade.imrryr.org> <alpine.LFD.2.10.1406030056500.19868@bofh.nohats.ca> <20140603130839.GY27883@mournblade.imrryr.org> <m3ppip5s57.fsf@carbon.jhcloos.org> <20140604025535.GJ27883@mournblade.imrryr.org> <m3bnu93yzc.fsf@carbon.jhcloos.org>
Comments: In-reply-to James Cloos <cloos@jhcloos.com> message dated "Wed, 04 Jun 2014 03:38:54 -0400."
Date: Thu, 05 Jun 2014 15:27:14 -0700
From: John Gilmore <gnu@toad.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/r5ZnR6B7OMPftRqizpM2AFBBunw
Cc: dane@ietf.org
Subject: Re: [dane] Servers which offer RPK but have no TLSA records for that key
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 22:27:27 -0000
> But even for a tls client which likes to try oob, and which only uses > dane to verify oob, it is not unreasonable to try oob and if it fails > try normal tls. The TLS Raw Public Keys (RPK) draft RFC does not require clients to retry failed negotiations. If it should, we had better fix it very soon, because it is a single approval from publication. It requires that servers only select RPK if they actively have a key usable with RPK (they send that key in the same message where they select RPK). It currently does not require clients to do the same. But let's look closer at the protocol negotiation to see where it's easiest to fix this situation. Clients that lack software support for PKIX should never offer the PKIX server certificate type in the TLS negotiation. Clients that lack software support for RPK should never offer to negotiate RPK server certificates in the TLS negotiation. This is non-controversial, and is required by RFC 7250. Should clients that lack any Trust Anchors never propose PKIX server certificates? Currently, such clients *do* negotiate PKIX and then prompt the user to validate the certificate that arrived during the PKIX negotiation. (You can verify this by emptying your browser's list of trust anchors and then accessing an TLS website.) Should clients that lack any way to validate a RPK never propose RPK? Since we have no such clients as yet, we could decide this. For example, a client may not have a preconfigured public key for this server, but it may have a DNSSEC resolver and DANE support. But when it starts the TLS session, it will probably not know whether there are any TLSA records that support Raw Public Keys. It sends its server certificate format options in the very first message in the TLS exchange. So, to positively know whether TLSA records exist and support RPK, it would have had to begin and finish a DNSSEC TLSA lookup, and evaluate the results with an eye toward RPK, before beginning *every* TLS exchange it initiates. I think we want to avoid that. Restating, the situation in question is when the client supports DNSSEC and DANE, has TLS software support for both PKIX and RPK, and so does the server, but the published TLSA records may not offer a way to verify the RPK that the server sends. In such a situation, Viktor proposes (if I understand his messages) that the client should offer support for PKIX and RPK server certificates; that the server should select RPK and send an RPK; that the client should then do the TLSA lookup, the client should notice that there is no way to authenticate the RPK it received, and then the client should terminate the TLS exchange and retry, offering only PKIX support. This proposal adds a retry requirement that currently does not exist in either the TLS RFC or the TLS RPK RFC. My proposal to handle this situation is that the client should offer support for PKIX and RPK server certificates; that the server should select PKIX and send a PKIX certificate chain, the client should then do the TLSA lookup, and that then the client should then validate the certificate chain using the TLSA records. This proposal treats the situation as a server misconfiguration. If the server will choose to negotiate RPK but does not have a TLSA record published that can validate RPK, it is misconfigured. Clients are not required to retry in order to attempt to bypass server misconfiguration. Persistent client failure will (eventually) alert the server operator to their error, and they will either fix the TLS server to not offer a RPK, or will fix the domain to include TLSA records that authenticate the server's RPK. John
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Hoffman
- [dane] Extending TLSA RFC to operate with TLS's n… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Wes Hardaker
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Jim Schaad
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Tom Gindin
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Stephen Farrell
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Olafur Gudmundsson
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… James Cloos
- Re: [dane] Extending TLSA RFC to operate with TLS… Stephen Farrell
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Simon Arlott
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… John Gilmore
- Re: [dane] Servers which offer RPK but have no TL… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni
- [dane] Extending TLSA RFC to operate with TLS's n… John Gilmore
- Re: [dane] Extending TLSA RFC to operate with TLS… Paul Wouters
- Re: [dane] Extending TLSA RFC to operate with TLS… Viktor Dukhovni