IETF Logo Mail Archive

Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 29 May 2014 18:04 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 947D21A016D for <dane@ietfa.amsl.com>; Thu, 29 May 2014 11:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uzhU9aDVrE0S for <dane@ietfa.amsl.com>; Thu, 29 May 2014 11:04:02 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 350661A0168 for <dane@ietf.org>; Thu, 29 May 2014 11:04:02 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 765EF2AB124; Thu, 29 May 2014 18:03:56 +0000 (UTC)
Date: Thu, 29 May 2014 18:03:56 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane WG list <dane@ietf.org>
Message-ID: <20140529180356.GL27883@mournblade.imrryr.org>
References: <201405290805.s4T85HBT008757@new.toad.com> <20140529141626.GH27883@mournblade.imrryr.org> <alpine.LFD.2.10.1405291257210.14277@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1405291257210.14277@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/t6233kb2qxMzJbQS_iVPmMg2Nak
Subject: Re: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 May 2014 18:04:03 -0000

On Thu, May 29, 2014 at 12:59:06PM -0400, Paul Wouters wrote:

> >I think there is an obvious format, that should be spelled out
> >explicitly in some suitable document.  Namely the same format as
> >for the SPKI of a leaf certificate with any supported matching
> >type:
> >
> >   ; Match SPKI of a certificate or just the bare public key
> >   _25._tcp.mx1.example.com IN TLSA DANE-EE(3) SPKI(1) ? {blob}
> 
> Where is this not clear in the existing DANE RFCs?

Per John's note, the existing RFCs specifically exclude bare SPKI,
though otherwise I agree, the mapping is fairly natural/obvious.

> >DANE TLS clients that also support the new TLS oob public key
> >extension can include it in their client HELLO, provided every RR
> >in the TLSA RRset is a "3 1 X" RR (they must perform the DNS lookup
> >before client HELLO).  If any of the RRs have a different usage,
> >then a full leaf certificate may be required, and the client MUST
> >NOT signal oob public key support (since the client would potentially
> >be unable to match a subset of the TLSA records, which may the
> >currently active configuration).
> 
> Can you explain why that is needed? I would envison people to migrate
> from full certs to bare keys to have both available in their TLS server
> and in their TLSA record set.

The server will indeed have full certs and corresponding or
independent bare keys.  However all the TLSA RRs MUST be "3 1 X"
RRs (matching all the deployed certificates and public keys),
or else clients MUST NOT indicate support for "oob public key".

The point being that the client does not know which TLSA RRs are
"live" and which are "legacy" as a result of key rotation.  If all
the "3 1 X" records are legacy, and only "3 0 1" or "2 0 1" RRs
are "live", the client will fail to authenticate the server if it
learns only the public key of the live leaf certificate.

A client that negotiates "oob public key" can only learn the
server's leaf SPKI, so this needs to be sufficient to perform
authentication, which is only true when *all* the authentication
records are "3 1 X".

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email