IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt

Philip Homburg <pch-dnsop-4@u-1.phicoh.com> Sat, 11 December 2021 11:24 UTC

Return-Path: <pch-b28DE43C2@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13C513A0C18 for <dnsop@ietfa.amsl.com>; Sat, 11 Dec 2021 03:24:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L44GNOXhH01p for <dnsop@ietfa.amsl.com>; Sat, 11 Dec 2021 03:24:19 -0800 (PST)
Received: from stereo.hq.phicoh.net (stereo6.hq.phicoh.net [IPv6:2001:981:201c:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 713023A07A2 for <dnsop@ietf.org>; Sat, 11 Dec 2021 03:24:18 -0800 (PST)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1mw0U9-0000IMC; Sat, 11 Dec 2021 12:24:13 +0100
Message-Id: <m1mw0U9-0000IMC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
From: Philip Homburg <pch-dnsop-4@u-1.phicoh.com>
Sender: pch-b28DE43C2@u-1.phicoh.com
References: <163908832760.8339.4135304026578566025@ietfa.amsl.com> <CAHbrMsCbN8+2UCQLCYKvp5RZ_v+srMha5xU25A9Q9F=ASna9xA@mail.gmail.com> <F9919030-4B37-42DE-BE7B-73BAAFDC5433@dukhovni.org>
In-reply-to: Your message of "Fri, 10 Dec 2021 12:57:46 -0500 ." <F9919030-4B37-42DE-BE7B-73BAAFDC5433@dukhovni.org>
Date: Sat, 11 Dec 2021 12:24:13 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9V6ftbdPBj_O0dIjh-UoB6NY_CE>
Subject: Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2021 11:24:24 -0000

> 1.  While DANE certificate validation as described in RFCs 7671,7672
> and 7673
>     is fine in SMTP, IMAP, XMPP, ... for HTTP (and perhaps some
>     other applications) skipping validation of the target name with
>     DANE-EE(3) records introduces a "UKS" (i.e. "Unknown Key Share")
>     issue, that would definitely be a concern for "h3".
> 
>     https://datatracker.ietf.org/doc/html/draft-barnes-dane-uks-00
> 
>     Thus, unless "UKS" is known to not be a concern, applications
>     should also validate the target name against the server
>     certificate even with DANE-EE(3).

There is something I don't understand about this draft.

Support an attacker creates attack[1-3].example.com with 3 different setups:
1) attack1.example.com has a regular PKI cert and the attacker runs a 
   reverse proxy there that relays traffic to victim.example.com
2) attack2.example.com has a self signed cert and DANE with both
   attack2.example.com and victim.example.com in the DNS names of the cert.
   Again the attacker has a reverse proxy and relays to victim.example.com
3) attack3.example.com has a DANE record that refers to the cert of
   victim.example.com. There the attacker directly relays traffic to 
   victim.example.com.

>From the point of view of the victim client, how are these three setups
different? What makes it that 1) and 2) are fine, but 3) is not.

The only hint I can find in the draft is that when a client connects to
both attack3.example.com and victim.example.com, finds that both use the
same public key, that the client somehow merges them into a single security
context.

How does that work with CDNs? Does every CDN have a unique public key per
hosted client site?

In my experience, a hard part of PKI certs is to make sure that every name
that can be used to reach the cert is infact listed in the certificate.
It would be way better if for DANE, no name checks are done at all.

v2.23.0 | Report a Bug | By Email