Re: [dane] Behavior in the face of no answer?

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 04 May 2012 11:29 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 047A321F871C for <dane@ietfa.amsl.com>; Fri, 4 May 2012 04:29:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[AWL=-0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07TeLeaASUKJ for <dane@ietfa.amsl.com>; Fri, 4 May 2012 04:29:18 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 6386121F871A for <dane@ietf.org>; Fri, 4 May 2012 04:29:18 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 512591ECB41C for <dane@ietf.org>; Fri, 4 May 2012 11:29:17 +0000 (UTC)
Date: Fri, 4 May 2012 07:29:22 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dane@ietf.org
Message-ID: <20120504112922.GB4929@mail.yitter.info>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org> <20120503223745.GC1804@mail.yitter.info> <CABcZeBMFV8oiZJfAY1fZ_0bBQWa=q6aBL65AS+W5gBuKmPnwOg@mail.gmail.com> <20120504021044.GB4560@mail.yitter.info> <B25C977F-6B4E-458C-879D-A36EDB94DA75@icsi.berkeley.edu> <20120504023602.GA4683@mail.yitter.info> <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 11:29:19 -0000

On Thu, May 03, 2012 at 08:18:41PM -0700, Eric Rescorla wrote:
> 
> While I understand that these operational constraints, I'm having
> trouble understanding what security benefit DANE offers if one behaves
> as you suggest, since it seems the attacker can simply force you to
> ignore any records that DANE provides.

As a client, you could be making a decision about what is more likely:

    1.  The attacker is able to undermine some CA.

    2.  The attacker is actually on-path and going to undermine my
    connection.  

In many cases, one might decide that (1) is more likely than (2), and
therefore decide that TLSA is a better thing to rely on.  During
deployment, however, one might be willing to think that (1) is less
likely than, "I am in a coffee shop, and these people bought crappy
infrastructure."  In that case, one might want to be able to fall back
to the way we actually do this today.  

I imagine that, over time, the tolerance for the broken infrastructure
will go down, and the fall-back decision will be less and less
attractive.  But if the protocol says that once a client supports
TLSA, any not-fully-modern DNS environment just means "no TLS", then
we will be promulgating a standard that cannot be deployed.  We might
as well not publish it.

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com