IETF Logo Mail Archive

Re: [keyassure] Objective: Restrictive versus Supplementary Models

Michael Richardson <mcr@sandelman.ca> Wed, 30 March 2011 15:41 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFA833A6B61 for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 08:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.954
X-Spam-Level:
X-Spam-Status: No, score=-1.954 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLezSymxXAcn for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 08:41:21 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41]) by core3.amsl.com (Postfix) with ESMTP id DA0953A684E for <keyassure@ietf.org>; Wed, 30 Mar 2011 08:41:20 -0700 (PDT)
Received: from marajade.sandelman.ca (ip-85-160-190-55.eurotel.cz [85.160.190.55]) by relay.sandelman.ca (Postfix) with ESMTPS id CAF0D34117 for <keyassure@ietf.org>; Wed, 30 Mar 2011 11:42:58 -0400 (EDT)
Received: from marajade.sandelman.ca (marajade.sandelman.ca [127.0.0.1]) by marajade.sandelman.ca (Postfix) with ESMTP id 10D9E98B17 for <keyassure@ietf.org>; Wed, 30 Mar 2011 17:28:22 +0200 (CEST)
From: Michael Richardson <mcr@sandelman.ca>
To: keyassure@ietf.org
In-Reply-To: <0374DFAB-AA4F-42DA-9792-71BCEFB4ABBF@bbn.com>
References: <AANLkTik1Uzd8XSZzopBBDHywrhSjsBQYxC91BZXdkMwg@mail.gmail.com> <0AE869F3-0BBB-485F-8CDD-EC1B70EBB9B2@bbn.com> <AANLkTi=r884poth6pAXPtot0XVuCXfEprcYQTDdPLR1W@mail.gmail.com> <0374DFAB-AA4F-42DA-9792-71BCEFB4ABBF@bbn.com>
X-Mailer: MH-E 8.1; nmh 1.1; XEmacs 21.4 (patch 22)
Date: Wed, 30 Mar 2011 17:28:22 +0200
Message-ID: <8018.1301498902@marajade.sandelman.ca>
Sender: mcr@sandelman.ca
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 15:41:21 -0000

>>>>> "Richard" == Richard L Barnes <rbarnes@bbn.com> writes:
    Richard> Fair enough.  Revised version below allows for the
    Richard> possibility of short-circuiting based on exact match with
    Richard> an EE cert.  (Trying to maintain an integral version that
    Richard> can be called for consensus later.) 

okay, but is there a bit that tells the client which case they are
trying to implement?  Or do we even need such a thing?

Paul and I were discussing things from the point of view that the client
does one process only, and that it has to work for both cases.

1. client looks up A/AAAA record. DNSSEC recommended. If no DNSSEC,
          attacker can mis-direct connection.
2a. client initiates TCP socket to target. (Attacker may do IP-level
    redirection, even if A/AAAA is correct)
2b. client looks up DANE/TLSA record (if any).
3. If TLSA found, client adds DANE CA and/or EE certs to TA store,
   dropping all others (*)
4. Client performs normal TLS/PKIX checks.

This is secure for domain-managed authentication if DNSSEC.
This is is also secure for cert-lock even in the face of Comodogate.

This may fail for some corporate environments where there is a forced
proxy of all TLS connections to some auditing firewall device.
Apparently some vendors let you force new sets of trust anchors
to desktops so that the desktops will wind up trusting the official
man-in-the-middle device.   If in step 3, one drops that trust anchor,
then the MitM is detected.  This may be a feature or not.

The question that we came up with was: is the act of dropping other
trust anchors something that should be controlled by the owner the
domain via the TLSA record, or is this a question of local policy?

You *HAVE* to drop them to get the cert-lock to be effective.

    Richard> 1. Cert-lock / CA-lock
    Richard> 1.1. Use case:
    Richard> 1.1.1. Client initiates TLS connection and gets server cert chain
    Richard> 1.1.2. Client performs normal TLS/PKIX validation on cert chain
    Richard> 1.1.3. Client retrieves DANE records from DNS
    Richard> 1.1.4. DANE records specify EE or CA certs that MUST be present in cert chain
    Richard> 1.1.5. Client verifies that TLS cert chain meets DANE constraints
    Richard> 1.2. Security goal: Defend against issuance of other certs for this domain
    Richard> 1.3. DNSSEC RECOMMENDED, not REQUIRED; attacker can only cause connection failure

    Richard> 2. Domain-managed authentication
    Richard> 2.1. Use case:
    Richard> 2.1.1. Client retrieves DANE records from DNS
    Richard> 2.1.2. DANE records specify Trust Anchors for PKIX certificate validation
    Richard> 2.1.3. Client adds DANE CA certs to TA store (optionally, drops all others)
    Richard> 2.1.3. [TBD] If DANE provides EE cert, accept/reject based on exact match
    Richard> 2.1.4. Client initiates TLS connection and gets server cert chain
    Richard> 2.1.5. Client performs normal TLS/PKIX validation on cert chain
    Richard> 2.2. Security goal: Allow TLS to work without pre-configured TAs
    Richard> 2.3. DNSSEC REQUIRED; attacker can insert bogus TAs

v2.23.0 | Report a Bug | By Email