Re: [Doh] Suggestion on draft-ietf-doh-dns-over-https-13: Recommend DANE-TLS to authenticate the TLS-certificate
Eric Rescorla <ekr@rtfm.com> Thu, 16 August 2018 13:38 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6284130F5E for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 06:38:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDON-ikDILJu for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 06:38:54 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2CFA131062 for <doh@ietf.org>; Thu, 16 Aug 2018 06:38:50 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id v22-v6so3418461lfe.8 for <doh@ietf.org>; Thu, 16 Aug 2018 06:38:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WBs9M7cd5JYAqwZvT5ks4co1xxwmhZcREmJixYrRB6c=; b=rh5tsvljRhT/cyVu4FAqJkffxECjCaFLESAYWekSCyzZUAa34RIpqjbtcn7rnPxtHb 55kvOUg0x98bGJFfEp0MeYmzY+sx43oViagB1extwZpyRk7HgOBVaA7dxd1oKlcp1LeK nKqNBKp/5tTbQS1Np1zydKSqKYTw+vRBxVorM94Uzx4PGFI9Vj7ICuoUzpEAUOlKoWpn tcLt/MqFt2J32LTJ/i1mjp9299Jb6icnW+Qyfohoyjn99OZZroAndArY8WPkLyvUyj72 +G3eFmZyO9/j9qACAMJo0Fhz6aWQvl6IC5P40ZvWB7pV8F+9eXHU8StYXIoAoSJIESIe 9YWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WBs9M7cd5JYAqwZvT5ks4co1xxwmhZcREmJixYrRB6c=; b=Xgnjh8SgvZbJrtwdgs7H2562UhVCOuT8l31ClkhsEUw6hSoxZCqi/VgDJ7IeeRJVeH zPtuzee2EQeNd9N0szb6JHL9BGPfiybEMA5r/xoMqWzHixhMgBlib01ImMSa9l4Aq/NO cHh1gOy3sYxMoHwAMjX7lWBlK12522sVU5iI4EowATT5WVc3a0Cn8ac0rZ0i49w5AWn1 002bT+1jJWyAMkYYAONjIk7qkkdh/maHsy6c8O4IBvnUGvmp2QzJmYzQ8UMYJAjcNXMO zFn2f4PqexP5IVXbl19VIs0WCFSxfBLW0/+B5eLg3yam8mee6nK0LaU+wBH2it7EZni4 7+ag==
X-Gm-Message-State: AOUpUlFKZ47t54XWaiQrPCM+T1mny7iplY8tpMbW1uU2SCRAkvf7lLnm gAayjeBFk9gVOgwrfvooMwaJaWjE/TiXqbnI6qH4aWU3
X-Google-Smtp-Source: AA+uWPx89nUc1hwSIcwWDgZ9QdpUzl2JU9o9Gu1IFA+9Q+BymskXfwfhmpXH0WdSijBPGgME2kCaPkFrAcckUtVfPfI=
X-Received: by 2002:a19:cb93:: with SMTP id b141-v6mr1537824lfg.119.1534426728971; Thu, 16 Aug 2018 06:38:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Thu, 16 Aug 2018 06:38:08 -0700 (PDT)
In-Reply-To: <6fb4a552-8d5e-494b-f934-1f97b83b0ab6@bartschnet.de>
References: <6fb4a552-8d5e-494b-f934-1f97b83b0ab6@bartschnet.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 16 Aug 2018 06:38:08 -0700
Message-ID: <CABcZeBMGedNJx_bEResOQKHp4eRFuvrZg_QpQ3DSK_zo-yjU0A@mail.gmail.com>
To: "Rene 'Renne' Bartsch, B.Sc. Informatics" <ietf=40bartschnet.de@dmarc.ietf.org>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001d531a05738d904c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/wsxN_1h5dgKe8uRt83gNDhAn4jg>
Subject: Re: [Doh] Suggestion on draft-ietf-doh-dns-over-https-13: Recommend DANE-TLS to authenticate the TLS-certificate
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 13:39:03 -0000
On Thu, Aug 16, 2018 at 1:13 AM, Rene 'Renne' Bartsch, B.Sc. Informatics < ietf=40bartschnet.de@dmarc.ietf.org> wrote: > Hi, > > as TLS-certificates forged or obtained by devious means have become common > in MITM-attacks by intelligence and criminals > I suggest to RECOMMEND authentication of the DoH-server TLS-certificate > via DANE-TLS (RFC 6698) in section 10 (Security considerations). > I don't think we should make this change. Much of the value proposition of DoH is that it's straightforward to run on top of existing HTTPS infrastructure, and as a practical matter nearly all of that infrastructure depends on WebPKI certs and does not do DANE. For that reason, this recommendation would be more aspirational than practical. -Ekr
- [Doh] Suggestion on draft-ietf-doh-dns-over-https… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Star Brilliant
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Star Brilliant
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Eric Rescorla
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Eric Rescorla
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Adam Roach