Re: [dane] Feedback request: python3-dane (A pure-python DANE library for Python 3)

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 12 December 2014 18:14 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2791A873A for <dane@ietfa.amsl.com>; Fri, 12 Dec 2014 10:14:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_44=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ddpx7yYzymLB for <dane@ietfa.amsl.com>; Fri, 12 Dec 2014 10:14:13 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E11471A7113 for <dane@ietf.org>; Fri, 12 Dec 2014 10:14:12 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1F4B8282FBF; Fri, 12 Dec 2014 18:14:12 +0000 (UTC)
Date: Fri, 12 Dec 2014 18:14:12 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141212181411.GE25666@mournblade.imrryr.org>
References: <5489774C.5090600@wielicki.name> <20141211150539.GA25666@mournblade.imrryr.org> <548AC246.8090004@wielicki.name>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <548AC246.8090004@wielicki.name>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/vymsiBdK97ki5gELP__5s3XWZqI
Subject: Re: [dane] Feedback request: python3-dane (A pure-python DANE library for Python 3)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Dec 2014 18:14:14 -0000

On Fri, Dec 12, 2014 at 11:24:06AM +0100, Jonas Wielicki wrote:

> > Great care must be exercised here, for example, after PKIX 
> > validation succeeds, a naive request to OpenSSL for the peer's 
> > chain returns the list of wire certificates, not the validated 
> > chain.
> 
> But I assume that one can obtain the actually validated chain using
> the verify_callback mechanism provided by OpenSSL?

Yes with usage 0/1, with usage 2 the traditional chain building
code cannot be used as-is.

> > * Usage DANE-TA(2) is the most difficult to support, and "toy" 
> > implementations neglect to perform chain construction and integrity
> > checks or perform name checks, apply name constraints, depth
> > constraints, handle IDNA conversion of hostnames, ...
> 
> I wonder whether adding certificates provided by DANE-TA records
> (assuming we have a Cert+Full record) to the trusted store of the SSL
> implementation (only for that particular connection) and check whether
> these have been used after the fact would be sufficient?.

It is not "sufficient", as these are not necessarily self-signed,
and OpenSSL (before 1.0.2) does not have a way to validate chains
that start with trust-anchor that is not self-signed.  Postfix can
also verify chains via a "2 1 0 <public key>" TLSA record, even
when the chain does not include the associated certificate!

-- 
	Viktor.