Re: [keyassure] TLSA record does not mandate the given certificate

Zack Weinberg <> Mon, 28 March 2011 20:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 62DDF28C0F0 for <>; Mon, 28 Mar 2011 13:59:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.477
X-Spam-Status: No, score=-2.477 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XUUOXmFIksJA for <>; Mon, 28 Mar 2011 13:59:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6D8D43A693D for <>; Mon, 28 Mar 2011 13:59:49 -0700 (PDT)
Received: by vxg33 with SMTP id 33so3098644vxg.31 for <>; Mon, 28 Mar 2011 14:01:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=O1W18n+OkWnwMCY0e2EwAUl1zuwTWaTHhLsJmRQ17VU=; b=fNmaZxJQuNaOCgBzL2Ds0um9cBj2ty+FSBkcp8F41XeratohSVoKEOI9K46Gvu0v72 xbcCdz3tELzmOAbIrKuVLt65VNtxmhem5R17Z64rJZTZTAJakB0Wd2uDKcdP072JJoh3 79J0DgJE8r8xHRlicoN821/CwUgxEn1REOYVo=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=EqQQAy1s00uDPGGCjRovN3fdxIov/otS5vweGoU7FsmyXr9aKyIIWiQFzSQ8Luatrt MXFRpcJ/YpdnUVlZ3ac0wVCi5xJrBM/t7Tjc13j4queQccDzznFEN41LG/dW5Zk47nQ6 PhyKPRGE9v4eRrPprh/JEorjGwRftDC9hPIxk=
MIME-Version: 1.0
Received: by with SMTP id x2mr6231387vdv.264.1301346086795; Mon, 28 Mar 2011 14:01:26 -0700 (PDT)
Received: by with HTTP; Mon, 28 Mar 2011 14:01:26 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Mon, 28 Mar 2011 14:01:26 -0700
X-Google-Sender-Auth: FjOp-KjJ7MkFzssRStlgu6gXyA8
Message-ID: <>
From: Zack Weinberg <>
To: Michael Richardson <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [keyassure] TLSA record does not mandate the given certificate
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Mar 2011 20:59:50 -0000

On Mon, Mar 28, 2011 at 12:34 PM, Michael Richardson <> wrote:
> {I think you should start three threads for your three proposals}

It is one proposal.  I could split out the additional text about
non-security use, but apart from that, it doesn't make sense to try to
break up the changes.

> I can't parse "yes"/"no" in the above sentence.
> Do you mean:
>  A TLSA record for site S specifying certificate X forbids a compliant
>  client from proceeding with the handshake if it receives certificate Y.
> or do you mean to object to this statement?  I think you mean to support
> it but I couldn't tell from the overview, and only from the text you supplied.

I mean to support it.  This is meant to be clear from this text of the proposal:

>    Zack> The presence in the DNS of a trusted TLSA record is an assertion
>    Zack> by the zone administrator that the legitimate server(s) for that
>    Zack> host, protocol, and port will use certificate bundles that can be
>    Zack> associated with the domain name by that record (as defined in
>    Zack> section 3.1), and no others.
>    Zack> Therefore, a DANE client in possession of a trusted TLSA record
>    Zack> for a server MUST determine whether that TLSA record associates
>    Zack> the server's domain name with the certificate bundle it provides
>    Zack> in the TLS handshake.  If it does not, a DANE client MUST reject
>    Zack> the end-entity certificate and abort the TLS handshake with an
>    Zack> "access_denied" error.  This rule applies even if the end-entity
>    Zack> certificate would have been trusted in the absence of the TLSA
>    Zack> record.

If it's not, please let me know how I could improve it.