Re: [dnssd] dnssd privacy draft
"Christian Huitema" <huitema@huitema.net> Fri, 24 June 2016 19:26 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3B2412D5BE for <dnssd@ietfa.amsl.com>; Fri, 24 Jun 2016 12:26:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQY56kHq1x6w for <dnssd@ietfa.amsl.com>; Fri, 24 Jun 2016 12:26:40 -0700 (PDT)
Received: from xsmtp12.mail2web.com (xsmtp12.mail2web.com [168.144.250.177]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E313612B05F for <dnssd@ietf.org>; Fri, 24 Jun 2016 12:26:39 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp12.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1bGWkQ-0007P0-21 for dnssd@ietf.org; Fri, 24 Jun 2016 15:26:38 -0400
Received: (qmail 5848 invoked from network); 24 Jun 2016 19:26:37 -0000
Received: from unknown (HELO huitema2) (Authenticated-user:_huitema@huitema.net@[131.107.160.201]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dnssd@ietf.org>; 24 Jun 2016 19:26:37 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Martin Thomson' <martin.thomson@gmail.com>, 'Christian Huitema' <huitema@microsoft.com>, dnssd@ietf.org
References: <CABkgnnU68Rwsy7Hn5jwCP7ytXh3MmGw_h4a_E8hjri0X_P3kWw@mail.gmail.com>
In-Reply-To: <CABkgnnU68Rwsy7Hn5jwCP7ytXh3MmGw_h4a_E8hjri0X_P3kWw@mail.gmail.com>
Date: Fri, 24 Jun 2016 12:26:34 -0700
Message-ID: <04a901d1ce4e$52e056e0$f8a104a0$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIN3TkVMGpjbbwR26PjQrGFtNYdfJ+Aysqg
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/v5eDVHd4C3oKTN6AeeAkIVRpkqk>
Subject: Re: [dnssd] dnssd privacy draft
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2016 19:26:42 -0000
On Thursday, June 23, 2016 5:23 PM, Martin Thomson wrote: > > Interesting work. Thanks. > I think that a lot of this comes down to the design of the pairing protocol. Yes. The point is, do we have the appetite to design a pairing protocol in this group? If we do, my preference would be to describe this pairing protocol in a separate draft. > The requirement to use base64 isn't going to work very well with DNS. > Or do you expect this to work anyway? I guess that it could if you use the URL > and filename safe variant without padding, but I wouldn't have been that bold. It is already a requirement for DNS SD. There is a long discussion of that in RFC 6763: The <Instance> portion of the Service Instance Name is a user- friendly name consisting of arbitrary Net-Unicode text [RFC5198]. It MUST NOT contain ASCII control characters (byte values 0x00-0x1F and 0x7F) [RFC20] but otherwise is allowed to contain any characters, without restriction, including spaces, uppercase, lowercase, punctuation -- including dots -- accented characters, non-Roman text, and anything else that may be represented using Net-Unicode. For discussion of why the <Instance> name should be a user-visible, user- friendly name rather than an invisible machine-generated opaque identifier, see Appendix C, "What You See Is What You Get". Base64 guarantees that we will not be using control characters. I actually checked whether we could get something more compact using a wider range of Unicode character, but those require more bits on the wire and end up not very efficient. > Using base32 reduces the number of pairings you can advertise at once to 5; > which isn't great, but I guess that you can use the mitigation you already have. > But it begs the question: does this really need to be in the name? Did you > consider retrieving the proofs using TXT records that are provisioned against > the nonce? Yes, that's a possibility. But the instance name is obtained directly from the PTR record. Putting the information in the TXT record implies a longer query process: first get the PTR records, then retrieve the TXT record for each name in the PTR record. > Do you need to include the time in the nonce? We decided against leaking > clock information in TLS 1.3 for a range of reasons, primarily privacy. I believe > that lots of entropy would be OK. It's not like we need to be very careful with > space, and 96 bits seems like plenty. Are you saying that specifically for the PSK identity encoding? The use of time stamp there provides some level of protection against replay attacks, described in section 6.5. Otherwise, servers will have to rely on extended memory of previously used PSK identifiers. > Also, you don't have to base64 the psk_identity, it's just octets, which allows > you to reclaim some of that space. Well, section 5.1. of RFC4279 says: "The PSK identity MUST be first converted to a character string, and then encoded to octets using UTF-8 [UTF8]." And I see the character string requirement enforced in some of the TLS API. So base64 is just a way of being cautious. > Did you consider using SNI to carry the name? Or did you plan to forbid SNI? > You probably don't need to correlate the DNSSD parts with the TLS parts for > passive observers. Good point. We should probably specify some fixed SNI value, so the SNI does not leak server identity. > Regarding this: "Implementers MAY eventually replace SHA256 with a stronger > algorithm", I think that you need a better replacement plan. > Maybe you can use an attribute in the TXT record that identifies the hash. Or > you could identify the scheme in the psk_identity itself. > Or you could prefix names with a protocol version identifier. You could even > use a different service type name if it came to that. Yes, we need to think about versioning. The simplest solution is probably to encode a version number in the service type used by DNS SD. But better suggestions are welcome. -- Christian Huitema
- Re: [dnssd] dnssd privacy draft Daniel Kaiser
- Re: [dnssd] dnssd privacy draft Martin Thomson
- Re: [dnssd] dnssd privacy draft Alf Watt
- Re: [dnssd] dnssd privacy draft Martin Thomson
- Re: [dnssd] dnssd privacy draft Christian Huitema
- [dnssd] dnssd privacy draft Martin Thomson
- Re: [dnssd] dnssd privacy draft Tim Chown
- Re: [dnssd] dnssd privacy draft Martin Thomson
- Re: [dnssd] dnssd privacy draft Christian Huitema