IETF Logo Mail Archive

Re: [saag] On PKI vs. Pinning (SAAG 108 preview)

Nico Williams <nico@cryptonector.com> Fri, 28 August 2020 20:19 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F02A13A0B92 for <saag@ietfa.amsl.com>; Fri, 28 Aug 2020 13:19:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzEv_3d_pMPD for <saag@ietfa.amsl.com>; Fri, 28 Aug 2020 13:19:49 -0700 (PDT)
Received: from dragonfly.birch.relay.mailchannels.net (dragonfly.birch.relay.mailchannels.net [23.83.209.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44FAB3A0B91 for <saag@ietf.org>; Fri, 28 Aug 2020 13:19:48 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 3C0FD1213B1; Fri, 28 Aug 2020 20:19:48 +0000 (UTC)
Received: from pdx1-sub0-mail-a46.g.dreamhost.com (100-96-9-79.trex.outbound.svc.cluster.local [100.96.9.79]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A6E2D1213F3; Fri, 28 Aug 2020 20:19:47 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a46.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.8); Fri, 28 Aug 2020 20:19:48 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Sponge-Cooperative: 6444005b7b003ef1_1598645987950_1069125511
X-MC-Loop-Signature: 1598645987950:2858762568
X-MC-Ingress-Time: 1598645987949
Received: from pdx1-sub0-mail-a46.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a46.g.dreamhost.com (Postfix) with ESMTP id 646C87F062; Fri, 28 Aug 2020 13:19:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=i+h+4R8oKEyh1a uMR3eQP7aaa38=; b=lxSMtydDdnHtIFbltskEm3+QVrTL3JXkDlFz8ymAXZCs9x PhbhvsBgtvN09YJ2pdPUFjfzE10cehzH1KU24cYgcR8TiPzOh2zpiy4SL30Gi+Iu zqahzXSl3ArtmyN1njBJPKcZqFyoUA4bYxEIJfFW0R20mFDePsb+3JKPceZQU=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a46.g.dreamhost.com (Postfix) with ESMTPSA id 8E5407F061; Fri, 28 Aug 2020 13:19:46 -0700 (PDT)
Date: Fri, 28 Aug 2020 15:19:44 -0500
X-DH-BACKEND: pdx1-sub0-mail-a46
From: Nico Williams <nico@cryptonector.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: saag@ietf.org
Message-ID: <20200828201942.GU3100@localhost>
References: <20200728191331.GV41010@kduck.mit.edu> <20200822014328.GI37427@straasha.imrryr.org> <32690.1598215107@localhost> <20200824021601.GS3100@localhost> <17304.1598644198@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <17304.1598644198@localhost>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedruddvkedgfeegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecuggftrfgrthhtvghrnhepffdtkeethfeuteeviefgfeegjeetjedvhfehgfdvtdefueejheelgeeuhffghffgnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/sWfFabqb6gsXTfefkSQRLcYZ44U>
Subject: Re: [saag] On PKI vs. Pinning (SAAG 108 preview)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 20:19:51 -0000

On Fri, Aug 28, 2020 at 03:49:58PM -0400, Michael Richardson wrote:
> Nico Williams <nico@cryptonector.com> wrote:
>     > In the first two cases ...
> 
> I agree with your analysis.

I hadn't understood that those were specifically TLSA RR usage values.
So I was a bit confused, but still, I think the analysis was right.

> Do you think we need to capture it into a document?

It might be nice.  The realization that DANE is akin to a pin dist.
mechanism, that app stores and such are comparable in that sense, seems
like something that should be written down somewhere.

>     > There's one more.  draft-dukhovni-tls-dnssec-chain allows ...
> 
> I didn't know that this document exists.  To save others the step of learning
> about it:
>    ...
> 
> So, I wanted to do EXACTLY this for IPsec OE (RFC4322).

Yeah!

> I imagined two entities (Opus and Bill the Cat) sitting in a meadow, doing
> security of IPv6-LL addresses without any outside connectivity.
> [You can't expect a dead cat to fetch CRLs..]

You'd need an IKEv2 extension like Viktor's TLS extension, but which
also includes A/AAAA RRsets.

> I guess this is intended for the TLS WG?

Funny story about that.  There had been a TLS WG work item for it that
didn't support either the extension pin or the denial of existence
chain, and when we pushed for that to be added WG consensus fell apart
and the WG dropped the I-D with the agreement that all parties would get
to publish their own versions of it on the ISE.

>     > Pinning lets apps detect MITM attacks, but not whether they are
>     > tolerable attacks (enterprise proxies).
> 
> Agreed.
> That would have to come by some attestation statement in the decline.
> draft-ietf-capport-api-08 is one place I would like to that.

Tolerable attacks are essentially site-local pins that the app needs to
decide are OK or not OK, probably by hardcoding an OK/not-OK policy.

>     > In enterprise environments it's common to allow connection to banking
>     > sites through proxies w/o MITMing them.  Typically the banking sites
>     > allowed are either on some generic list (e.g., supplied by the
>     > enterprise proxy vendor), or those that the proxy's operator has
>     > reporting agreements with.
> 
> Yes.  But, generating exceptions to the site administrator to approve/deny
> might also be a good way to this.  MUD/RFC8520 statements from the app would
> also be interesting as supporting evidence.

Yes.

Nico
--

v2.23.0 | Report a Bug | By Email