Re: [keyassure] Musing on design based on proposed use cases
Eric Rescorla <ekr@rtfm.com> Wed, 30 March 2011 12:42 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A849E28C17F for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 05:42:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.943
X-Spam-Level:
X-Spam-Status: No, score=-102.943 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBXugvg5v8eB for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 05:42:13 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 90CC328C14E for <keyassure@ietf.org>; Wed, 30 Mar 2011 05:42:13 -0700 (PDT)
Received: by iwn39 with SMTP id 39so1416996iwn.31 for <keyassure@ietf.org>; Wed, 30 Mar 2011 05:43:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.226.135 with SMTP id iw7mr1112356icb.238.1301489032339; Wed, 30 Mar 2011 05:43:52 -0700 (PDT)
Received: by 10.42.217.2 with HTTP; Wed, 30 Mar 2011 05:43:52 -0700 (PDT)
In-Reply-To: <1DDD3940-D481-44E8-B505-05F24E7B46AA@bbn.com>
References: <1DDD3940-D481-44E8-B505-05F24E7B46AA@bbn.com>
Date: Wed, 30 Mar 2011 14:43:52 +0200
Message-ID: <AANLkTikyt=mHRLjXQ64903knEkUKwO0fKjqoSPy2anXQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Musing on design based on proposed use cases
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 12:42:18 -0000
Without endorsing this design overall... On Wed, Mar 30, 2011 at 2:40 PM, Richard L. Barnes <rbarnes@bbn.com> wrote: > So I think the use cases EKR described are clear enough to design to -- and they're not satisfied by the current design. ISTM that there will probably be a need for a couple of flags to distinguish the two semantics: > 1. "critical": MUST require that this cert be present in the chain > 2. "trusted": MUST use this cert as a TA > 3. "exclusive": Trusted + MUST NOT use any other TAs. > > The latter two come with a caveat: Clearly, the relying party can choose to ignore the DANE TAs, so the flag would be a recommendation from the domain owner to the relying party. (There are clearly interactions between the flags, e.g., no "exclusive" without "trusted"; see table at the bottom. There are also potential interactions between records w.r.t. the "exclusive" flag.) > > So the proposed validation algorithm would have roughly the following form: > A. Given a set of DANE records and a cert chain... > B. Verify that all DANE certs with the "critical" flag set are present in the cert chain This seems problematic. Say what I'm trying to do is cert lock and I have multiple servers, each with its own cert. If I list all the certs, this will obvious break. > C. [TBD-Consensus] If there is a "critical" EE cert, accept/reject based on exact match > E. If any DANE record is flagged "exclusive", remove all TAs from the local TA store > D. Add all DANE certs with the "trusted" flag set to the local TA store > F. Perform normal PKIX validation -Ekr
- [keyassure] Musing on design based on proposed us… Richard L. Barnes
- Re: [keyassure] Musing on design based on propose… Eric Rescorla
- Re: [keyassure] Musing on design based on propose… Richard L. Barnes