Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 25 February 2015 18:02 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 475291A037A for <ietf@ietfa.amsl.com>; Wed, 25 Feb 2015 10:02:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_15=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t26f2uYk5avt for <ietf@ietfa.amsl.com>; Wed, 25 Feb 2015 10:02:29 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3B841A0033 for <ietf@ietf.org>; Wed, 25 Feb 2015 10:02:29 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id A9943282FCC; Wed, 25 Feb 2015 18:02:28 +0000 (UTC)
Date: Wed, 25 Feb 2015 18:02:28 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Message-ID: <20150225180227.GT1260@mournblade.imrryr.org>
References: <54C9DA42.5040901@cisco.com> <9EB44D8A-278B-42FC-A542-1C182AD43128@netnod.se> <A74A30F4D1214630918FD4CA@JcK-HP8200.jck.com> <20150223153757.GI1260@mournblade.imrryr.org> <20150223155241.GJ1260@mournblade.imrryr.org> <tsl8ufoh9ko.fsf@mit.edu> <2DF7230C-D1D8-4B21-9003-B336108A38CB@vpnc.org> <20150224172649.GX1260@mournblade.imrryr.org> <tslvbircj0d.fsf@mit.edu> <0325DF3F-17F3-4400-BDEA-EDB5334BF35C@frobbit.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0325DF3F-17F3-4400-BDEA-EDB5334BF35C@frobbit.se>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/biIwZ8ZdLjQvbluy9si8403DXrM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 18:02:31 -0000
On Wed, Feb 25, 2015 at 05:28:35PM +0100, Patrik F?ltstr?m wrote: > > Victor is correct. This draft introduces indirection through DNS. > > Typically in the past when we've done indirection through DNS, we've not > > changed the expected security principal that we're targeting. > > It's that change that significantly changes the security model. > > It is not new with this draft and URI, it is done for example with SRV, and also MX. DNS redirection indeed has precedents in MX and SRV records. However, there is little to no prior practice in combining such rediction with "strict" TLS wherein the client's reference identifier for the server "chases" the redirection. I am sure that some MTA implementations just blindly apply TLS verification to the insecurely obtained MX hostname, even without DNSSEC. Such "going through the motions" is not in my view a real precedent. [ IIRC there was, and perhaps still is, a large email filtering provider that verifies the name the server returns in the clear in the first line of the EHLO response! This too is not a precedent for the proposed URI security model. ] > That said, it is an important discussion to have, and I have > waited for the DNS and Applications Community to talk about it. You might wonder why I of all people should be making a fuss about using DNS for TLS security. After all, I'm co-authoring two DANE documents and described DANE as a candidate mechanism for opportunistic use of authentication in the Opportunistic Security [RFC7435] document. The reason is absolutely not that I am opposed to designs that employ and trust DNSSEC to enable TLS reference identifier indirection. I support the use of such designs. Rather, it seems that the URI draft glosses over the implementation details and implications much too casually. This is a major change from current practice, and I think should be acknowledged as such and explored in more detail. Some considerations relevant to combining DNSSEC-validated redirection (which updates the client's notion of what to expect in peer certificates) appear in: https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-1.3 I should note that MTA-to-MTA SMTP is a specific opportunistic TLS application with a long history of deployment, so the above reference is about that singular use-case in which the issues are relatively well understood. With URIs, it is far less clear what applications are in scope, and what their security requirements might be. So a proper discussion of DNS-based URI redirection might need to be described as a set of considerations to apply when determining which schemes in the URI to accept, when to "chase" the reference identifier to the URI's target and even whether the DANE PKI might then be more appropriate in some situations, -- Viktor.
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Mark Nottingham
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Patrik Fältström
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Mark Nottingham
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Eliot Lear
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Patrik Fältström
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Patrik Fältström
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Eliot Lear
- (short version) Re: Last Call: <draft-faltstrom-u… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Dirk-Willem van Gulik
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: (short version) Re: Last Call: <draft-faltstr… Paul Hoffman
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Mark Andrews
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: (short version) Re: Last Call: <draft-faltstr… Pete Resnick
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Andrew Newton
- Re: (short version) Re: Last Call: <draft-faltstr… Nico Williams
- Re: (short version) Re: Last Call: <draft-faltstr… Nico Williams
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Nico Williams
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Mark Nottingham
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Eliot Lear
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Eliot Lear
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Andrew Newton
- Re: (short version) Re: Last Call: <draft-faltstr… Phillip Hallam-Baker
- Re: (short version) Re: Last Call: <draft-faltstr… Eliot Lear
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Andrew Newton
- Re: (short version) Re: Last Call: <draft-faltstr… Eliot Lear
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Pete Resnick
- Re: (short version) Re: Last Call: <draft-faltstr… Nico Williams
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Nico Williams
- draft-newton-link-rr (was Re: Last Call: <draft-f… Nico Williams
- Re: draft-newton-link-rr (was Re: Last Call: <dra… Nico Williams
- Re: (short version) Re: Last Call: <draft-faltstr… Mark Andrews
- Re: (short version) Re: Last Call: <draft-faltstr… Phillip Hallam-Baker
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Mark Andrews
- Re: (short version) Re: Last Call: <draft-faltstr… Phillip Hallam-Baker
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Patrik Fältström
- Re: draft-newton-link-rr (was Re: Last Call: <dra… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: draft-newton-link-rr (was Re: Last Call: <dra… Andrew Newton
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: draft-newton-link-rr (was Re: Last Call: <dra… Patrik Fältström
- Re: Last Call: <draft-faltstrom-uri-10.txt> (The … Mark Andrews
- Re: (short version) Re: Last Call: <draft-faltstr… Mark Nottingham
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Mark Nottingham
- Re: (short version) Re: Last Call: <draft-faltstr… Pete Resnick
- Re: (short version) Re: Last Call: <draft-faltstr… Pete Resnick
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Eliot Lear
- Re: (short version) Re: Last Call: <draft-faltstr… Pete Resnick
- Re: (short version) Re: Last Call: <draft-faltstr… Viktor Dukhovni
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: (short version) Re: Last Call: <draft-faltstr… Sam Hartman
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… John C Klensin
- Re: (short version) Re: Last Call: <draft-faltstr… Eliot Lear
- Re: (short version) Re: Last Call: <draft-faltstr… Eliot Lear
- Re: (short version) Re: Last Call: <draft-faltstr… Nico Williams
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström
- Re: (short version) Re: Last Call: <draft-faltstr… Pete Resnick
- Re: (short version) Re: Last Call: <draft-faltstr… Pete Resnick
- Where to do the work was Re: (short version) Re: … t.p.
- Re: (short version) Re: Last Call: <draft-faltstr… Patrik Fältström