[dispatch] Review of draft-bhjl-x509-srv-02
Martin Thomson <martin.thomson@gmail.com> Mon, 15 August 2016 07:45 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5F3512D893 for <dispatch@ietfa.amsl.com>; Mon, 15 Aug 2016 00:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YozmvjusSTle for <dispatch@ietfa.amsl.com>; Mon, 15 Aug 2016 00:45:39 -0700 (PDT)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2C0712D589 for <dispatch@ietf.org>; Mon, 15 Aug 2016 00:45:38 -0700 (PDT)
Received: by mail-qt0-x22e.google.com with SMTP id 52so18206830qtq.3 for <dispatch@ietf.org>; Mon, 15 Aug 2016 00:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=Wfatry18B6kvtoqK0Ikn40++McENp6dPvewbsujx+BU=; b=zlwWWr6NU0aqTlDn0i7yznCTJq1Q5w4E0ejbMRqclwDZRENHWVUOFlF9rKlN/6cM5a ya2TSqAizpxCSIpZ21Dan3Ezk++BKUQrs9HY4dsplMiJiGqLLpziR7e2n73Z+LAX8UJ1 /2z7Kz1solS81svqUtRDrrfVfxfBOjH3OKx+r4H+r7RPc9kTNoyqTW3LVplhOGGgNv+/ kYIcLPTPBh8WGvd+8ZLQpPLQRGmkgfpEEJbrOcH9l56AQ6yQKsfFWGXR2sq49ls39+JR eTPi8KZgPdBWImIxboA8hBaZJ3AScsibJtg++iQR06xUZMaq0NB/k0+3il+LTdQPDMyM 3HFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Wfatry18B6kvtoqK0Ikn40++McENp6dPvewbsujx+BU=; b=LUSuflBEmQTOLrQb+R624ivuOZ/UNmbNwgUDNo0xXT3SSMCpOLfwgypxV0JXq3gJwj CuTxt0OmSln3+VTZCmvCjM3OoRMHoiAJERbqX6iA0sDsfuSDCmvSOYBl4Vl15bWlAd0A DaOY09VVmqtb6eE74yDXPJsS/p2Se+qMJ2olE1zXYwSH08L6agvi0pLA2A80WSKkgKno rQLsgOT7sEcRT7LGHX3kqZRLLxTBKEi0XXWxE3oxr/Bh71i5XNw0423pXw7EqkwimP67 Nyek2hj1G03qkF9rkvrik8+YFjdaAH+PvoQVDOcqPQau2+ZVU8/0KoyNd/tgPqVMLRkK qLEw==
X-Gm-Message-State: AEkooutB7uNNEjohGHywlthsXCS7dvt71XXVVxDMSYf5bypiH2fS7CcFgkYHT75UCFy+3FYPbxRo1ZbGpDbsZA==
X-Received: by 10.237.52.225 with SMTP id x88mr31200875qtd.24.1471247137876; Mon, 15 Aug 2016 00:45:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.22.146 with HTTP; Mon, 15 Aug 2016 00:45:37 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 15 Aug 2016 17:45:37 +1000
Message-ID: <CABkgnnUxE94YHBsJWBWEgV75cGD_U-JY6N_82S7k+0eZr3Kp1Q@mail.gmail.com>
To: draft-bhjl-x509-srv@tools.ietf.org, DISPATCH <dispatch@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/S4nZnqyYfnU-jWKVXBxnmewIMik>
Subject: [dispatch] Review of draft-bhjl-x509-srv-02
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 07:45:41 -0000
It seems like there are many similar sorts of approaches to this general problem floating around. If there is indeed interest in deploying something, then I am encouraged. However, I think that this document requires a lot of work. Meta: This looks very similar to draft-miller-saag-key-discovery-00. That uses webfinger. I would encourage the authors to talk to Matt and Suhas to see if they have any input on these designs. RFC 4387 isn't a great design. I'd be quite surprised to learn of independent, interoperable implementations given some of the omitted details there. The biggest problem with RFC 4387 is the use of fixed URL paths. It is excused because it predates RFC 7320 excuses it, but does not excuse any document that chooses to rely on it. That this is a service discovered via SRV alleviates some of the pressure on servers, but I think that a better approach would be to use .well-known URIs and avoid SRV. SRV is not a mechanism that is well-integrated into HTTP stacks, so you would forcing implementations to take on special resolver logic. I don't see much information in the document about how this might be deployed. Both SRV and DNSSEC have some deployment challenges. The document needs to be a lot clearer about where trust comes from. Much of the text talks about the use of DNSSEC and HTTPS in various ways, each of which might be relied upon to provide certain properties (authentication, integrity, etc...), but I don't think that the intent of this document is to rely on any of that stuff: this is just a way to find certificates and whether those certificates are trusted or not will be determined based solely on their contents and any configured trust anchors (or the equivalent of that for PGP). Section 2: The document never actually says how an implementation might choose the domain name to attach the _tcp to. That needs to be written down. Maybe this can subsume Section 4. Is the client expected to follow CNAME/DNAME when resolving this? What value does DNSSEC provide here? The implication is that integrity is used for something, but from responses to questions on this list, it's fairly clear that this isn't at all important. This: "The certificate of the https server SHOULD be validated by a DNSSEC signed TLSA record, and MAY also be validated by a certificate authority." disagrees with established practice for authenticating HTTPS servers. DANE is - at best - aspirational. More to the point, this needs to identify the name that will be used when authenticating the server. The introduction of SRV into the mix means that you are creating a delegation, which has huge risks if you pick the wrong answer. The best advice I have is to not permit the creation of delegations, because this reduces exposure to attacks on the integrity of the DNS. Section 3: Is bob@example.com an email address? The document needs to be more precise about how you go from inputs to produce these URIs. WebFinger [RFC7033] is quite precise about its inputs and how they are interpreted to form a URI. You also need to be much more precise about what requests are made, and the form of the responses. RFC 4387 is remarkably woolly about some of these important details, to the point that it might not be interoperable. Section 4: This seems a bit odd way of approaching the problem. You could just say that if FOO@example.com and f.o.o@example.com are considered equivalent by example.com then the same answer should be provided to requests for both names. And that you can use a redirect or the Content-Location header field to identify a single location if that is desirable. RFC 4387 is selective about what parts of HTTP it likes, but it is pretty big on the use of redirects, so no problem with using 3xx there. Section 5: The domain MAY publish validation certificates using TLSA records at the name _smimeca._tcp. This little throwaway line really needs its own section. The two sentences in the doc aren't nearly enough detail to produce an implementation. What do these certificates contain? Not trust anchors, I hope. What is the point of these being TLSA records? Is the intent to produce the missing pieces of a certification path [RFC 5280] that a client might be able to make a decision about the trustworthiness of the end-entity certificate that the certificate store has? Why would the certificate store not include that information directly? TLS includes multiple certificates from the certification path in its Certificate message, maybe you can find some way for the store to produce additional certificates. If you use HTTPS to retrieve them, then you don't have to stitch together more disparate protocols and you avoid some of the confidentiality issues that arise from sticking stuff in the DNS. Section 7: That last paragraph is unnecessary: if the trust in the certificate that is provided is based on information that is acquired independently of this protocol, then you don't need to say things like that. That sort of statement implies that there is some component of trust being conveyed, which would mean an entirely different analysis than what I've done here (which is of a direct acquisition protocol, not a security protocol). What if a user wanted to only make their certificate available to a certain subset of requesters? Is that possible?
- Re: [dispatch] Review of draft-bhjl-x509-srv-02 John Levine
- [dispatch] Review of draft-bhjl-x509-srv-02 Martin Thomson