Re: [Doh] Suggestion on draft-ietf-doh-dns-over-https-13: Recommend DANE-TLS to authenticate the TLS-certificate
Star Brilliant <m13253@hotmail.com> Thu, 16 August 2018 10:10 UTC
Return-Path: <m13253@hotmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E797D130E7E for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 03:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.876
X-Spam-Level:
X-Spam-Status: No, score=-0.876 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7WeLqpUKCC1O for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 03:10:28 -0700 (PDT)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-oln040092011040.outbound.protection.outlook.com [40.92.11.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C776112D7F8 for <doh@ietf.org>; Thu, 16 Aug 2018 03:10:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dhnhdsKgb+zUsB8MwC3Uc7zk5XRJsK0/goYFf/Mq1Ok=; b=a8ns7ftMPkrFYQu5wzlteM1KDgA+jQKMFiSsLF9fHMy9AR1b2xGTfi2ZOJ4GrockXyIgdRd2t6Khpd+RnuM9AS/lANK024VOD0yG4mBP017FStreLOxo2TIIDA4/HfyalDEx/Ga0zmSVFpVCuphBXneToTeE20l7PIc2o3EjdHTQc2MTmRXBFo5Fc2Bpp7V3NzqNHhW0Dg10Je9BF/RYI9mb5FEVA4nbOQhiMpCPPnNlF0yBGVMjWjZvroA0MA3Z/OLj4haJ512bQ2ISBdfDR/ajLEdYiDpY+rwhbNpqaMp/WVyMZ60MgCVsy51mKbkvso6WpOfbmK1rx8yBgrTDVg==
Received: from SN1NAM04FT062.eop-NAM04.prod.protection.outlook.com (10.152.88.52) by SN1NAM04HT129.eop-NAM04.prod.protection.outlook.com (10.152.88.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.1059.14; Thu, 16 Aug 2018 10:10:27 +0000
Received: from BYAPR19MB2248.namprd19.prod.outlook.com (10.152.88.55) by SN1NAM04FT062.mail.protection.outlook.com (10.152.89.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.1059.14 via Frontend Transport; Thu, 16 Aug 2018 10:10:27 +0000
Received: from BYAPR19MB2248.namprd19.prod.outlook.com ([fe80::7503:33f4:3a67:2cc1]) by BYAPR19MB2248.namprd19.prod.outlook.com ([fe80::7503:33f4:3a67:2cc1%3]) with mapi id 15.20.1059.017; Thu, 16 Aug 2018 10:10:27 +0000
From: Star Brilliant <m13253@hotmail.com>
To: "doh@ietf.org" <doh@ietf.org>
CC: "Rene 'Renne' Bartsch, B.Sc. Informatics" <ietf=40bartschnet.de@dmarc.ietf.org>
Thread-Topic: [Doh] Suggestion on draft-ietf-doh-dns-over-https-13: Recommend DANE-TLS to authenticate the TLS-certificate
Thread-Index: AQHUNTkH7tX1FPWMfkWU1/q7LTu0kKTCFPPEgAAJ+ICAAAkvLw==
Date: Thu, 16 Aug 2018 10:10:27 +0000
Message-ID: <BYAPR19MB22482948BA2CDC3D68277A9B943E0@BYAPR19MB2248.namprd19.prod.outlook.com>
References: <6fb4a552-8d5e-494b-f934-1f97b83b0ab6@bartschnet.de> <BYAPR19MB224839928ED4EC67F094F74A943E0@BYAPR19MB2248.namprd19.prod.outlook.com>, <74018a91-eecb-bb35-d5c4-e72487a0719a@bartschnet.de>
In-Reply-To: <74018a91-eecb-bb35-d5c4-e72487a0719a@bartschnet.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:5FCDCA98F1E3241937BD406351113633325F5193E04D1F6F62825C685DF530C8; UpperCasedChecksum:8244B64C0DB8237AECF13BDAE868685A135933D8B87EAE4E67BB70896A22B4B2; SizeAsReceived:7363; Count:47
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [yvtPZDOKaAvfl4khrr1IK0/SIQ3MyeNR]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN1NAM04HT129; 6:FBYWa205AnlocKlp5QxbCLHdtIoWpWBc2GLYFFa9+zfm9DIEEbdO5E2ldxq1CmBvSMo53aBDxUQv5flmb7VAaogZ+ZV0yxxGgowCDlJyer8rmuxbTE9hcmvWdLGr4pQYt0qk3M2npGyducrw/HKqrHnQqMtD82Bt39b2ZA8jLv+ZFJG0S4VSoWPCCTDwfkEb0Zq58LsAP1d2Z2S7X3ySH+lO24jed2ToKhAot4bJIdfZnMyQfcxQiiGym/cq8HhJr6ryirtRIhFATiLo4dKC1jqyMRKTbP7eMYpQH10uY4Gpn5Z0epXIvaavVNlZkG8L0/HsPh7k+3S8z9oY5jPU5ebBmvPYbB9khVZ63PCnXz1RS9FCmTyk8WqTHUXCtRyf2C6lrQP8m/Y+wKb+M1Xt36W7pzf3mpKK2sgH1186GbcSQHd4DiwtG0RezBKcOdYdl4cwnFoy11GH9YIm39ryaA==; 5:7QNWyigoUGRN2+ANF/tyH7L+dTRTvWd/ZqdUUzzBMMWYXEeh0c3HkZYT1N1W5beOIwCd5TMQ7XMQ9xYnFVDEaSrqj8VDyYo67mpFJqgkDYqH+zi+wk8kmXEieBcs+iM0+PcbOA93lFAPkB9q1XaEPqh+oLDLQ4Cobgp2g6U11ys=; 7:iplad5bBeLhh9Fo7at1zfyk0X8mhnKnXBvE84C+MfZlfNz14i2GUvf7WeSLsbipx3Fko/9grTjGg9we8hvmK9x9bWG+ppvrrbwoMS4EyFO553cawphU4tkvCH/Ysjbdfqvzr/W5sEqb6Ja8UMbhE7NFeaPYv9DAt1GaViIJTREuUF8A/rRWvKZlKh5/bVtPK63InOM70t1QA8Gw74fIBX+MsS6L8a4qAfuuDe1qkYENOZKMUulI8F+PRGBAyGEal
x-incomingheadercount: 47
x-eopattributedmessage: 0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101475)(1601125500)(1701031045); SRVR:SN1NAM04HT129;
x-ms-traffictypediagnostic: SN1NAM04HT129:
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(4566010)(82015058); SRVR:SN1NAM04HT129; BCL:0; PCL:0; RULEID:; SRVR:SN1NAM04HT129;
x-forefront-prvs: 07665BE9D1
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(189003)(199004)(486006)(4326008)(87572001)(6306002)(5640700003)(26005)(33656002)(6436002)(446003)(104016004)(11346002)(476003)(6346003)(97736004)(6246003)(73972006)(6506007)(99286004)(25786009)(102836004)(9686003)(55016002)(2501003)(53546011)(106356001)(105586002)(8676002)(2351001)(74316002)(76176011)(5250100002)(81156014)(1730700003)(2900100001)(86362001)(305945005)(20460500001)(7696005)(229853002)(68736007)(8936002)(14444005)(14454004)(56003)(6916009)(82202002)(256004)(83332001)(5660300001)(15852004)(42262002); DIR:OUT; SFP:1901; SCL:1; SRVR:SN1NAM04HT129; H:BYAPR19MB2248.namprd19.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: hotmail.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=m13253@hotmail.com;
x-microsoft-antispam-message-info: rJJ4koMNF03NEBphQfmaMORGbCwMHY7xo93sKWqrSKuswQpEq1sR/wjQT3CY1oUns20yTyGFlSwQoo5wSeik9A9oOsMIX+uR6qjDFGe1MkJBYDaRqHnoQPsz+GjK2jUOa3u4ObpW1VwmdkfJAG4mQ2UfADvOSjhiWpVWF3pF7vAKYo2hhH1ql7tGEAq4U/JvvrFux/ggbsFHxDZRtwCoYsqGL5Sg0fNei19ZM8CpRUw=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: c001924d-3e68-4f40-89c2-901a49278da7
X-MS-Exchange-CrossTenant-Network-Message-Id: 523a566a-1f7f-45bf-0a70-08d603607d53
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: c001924d-3e68-4f40-89c2-901a49278da7
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2018 10:10:27.3373 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM04HT129
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/kNwgPLIUKZ635xeyEW--eG-MV98>
Subject: Re: [Doh] Suggestion on draft-ietf-doh-dns-over-https-13: Recommend DANE-TLS to authenticate the TLS-certificate
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 10:10:31 -0000
On Thu, Aug 16, 2018 at 7:37 PM Rene 'Renne' Bartsch, B.Sc. Informatics <ietf=40bartschnet.de@dmarc.ietf.org> wrote: > > Am 16.08.2018 um 11:01 schrieb Star Brilliant: > > On Thu, Aug 16, 2018 at 6:13 PM Rene 'Renne' Bartsch, B.Sc. Informatics <ietf=40bartschnet.de@dmarc.ietf.org> wrote: > >> > >> Hi, > >> > >> as TLS-certificates forged or obtained by devious means have become common in MITM-attacks by intelligence and criminals > >> I suggest to RECOMMEND authentication of the DoH-server TLS-certificate via DANE-TLS (RFC 6698) in section 10 (Security considerations). > > > > Hi Renne, > > > > I am sorry I could not get your point. > > > > How could it be possible to forge TLS certificates without being detected through our current PKI systems? The security level is the same with either PKI and DANE. Let me explain. > - Stolen CA keys/hacked CA (https://en.wikipedia.org/wiki/DigiNotar -> Issuance of fraudulent certificates) Stolen/hacked KSK and ZSK. And currently it is nearly impossible to revoke and rotate the root-anchor key in case anything bad happens. > - Malicious CA Malicious domain registrar that modifies NS records combined with GeoDNS to prevent being detected. > - CA forced by malicious law We have certificate transparency records and CAA records to protect them. But nothing similar in DANE world. > - Abuse of intermediate certificates (https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html) Yes it is detected! (I said "... forge TLS certificates without being detected ...") > - Fraudulent certificate requests I could not get your point. Any examples? > - Broken revocation system (https://medium.com/@alexeysamoshkin/how-ssl-certificate-revocation-is-broken-in-practice-af3b63b9cb3) Therefore OCSP-Stapling is necessary. Not only for security, but also for bootstrap to work. > What if the client doesn't get the CRL/OCSP informtation? If unable to get OCSP information, the client will probably query itself in a loop, and may crash finally. If you run DoH server by yourself you will know this problem. > Bottom line: Don't trust a CA. No offence, but do you trust ICANN? That is single authority, compared with multiple CAs. Conclusion: I do not think DANE should be preferred than PKI (or "MORE RECOMMENDED" than PKI). At most they have the same level of security. (Actually DANE is worse, e.g. nearly impossible to rotate the root-anchor.)
- [Doh] Suggestion on draft-ietf-doh-dns-over-https… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Star Brilliant
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Star Brilliant
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Eric Rescorla
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Eric Rescorla
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Adam Roach