Re: [dane] Behavior in the face of no answer?

[Eric Rescorla <ekr@rtfm.com>]

On Tue, May 15, 2012 at 6:24 PM, John Gilmore <gnu@toad.com> wrote:
>> responses being sent to the user.  Thus, in order to achieve any
>> security benefit from certificate usage 0 or 1, the protocol requires
>> that when DNS responses have not arrived or are not valid, the TLS
>> connection must not succeed.
>
> It's easy for a Man in the Middle to subvert cert usage 3 this way
> too.  They just issue themselves a cert signed by some subverted
> public CA, block your TLSA DNS responses, and then if you proceed with
> TLS, you'll accept the key signed by the subverted public CA, since
> you never saw the record that says "This server is secured by THIS
> PUBLIC KEY RIGHT HERE, and not anything else."
>
> This attack also works against cert usage 2.  Thus I'm not sure why
> this proposed graf even mentions cert usages 0 and 1, except perhaps
> to remind the PKIX fans among us that proceeding in the face of DNS
> blockage causes even their favorite forms of TLSA to be vulnerable.

It's there because I hadn't had time to really think about 2 and 3
but I was sure about 0 and 1.

With that said, it's not true that 2 and 3 are the same as 0 and 1. Imagine
a client which asks for TLSA records and pays attention to 2 and 3 but
ignores 0 and 1. That client could (assuming people actually serve
TLSA records) avoid showing the red screen of death for some
self-signed sites. Surely that is indeed of security value, although
it does not offer any defense against CA compromise.

-Ekr