Re: [secdir] FW: secdir review of draft-ietf-dane-srv-12
⌘ Matt Miller <mamille2@cisco.com> Mon, 13 April 2015 20:17 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6246B1A1EF3; Mon, 13 Apr 2015 13:17:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.211
X-Spam-Level:
X-Spam-Status: No, score=-14.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DY1Y4KHplBCa; Mon, 13 Apr 2015 13:17:10 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FDB71A1E0F; Mon, 13 Apr 2015 13:17:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7735; q=dns/txt; s=iport; t=1428956230; x=1430165830; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=aS2zPXgKZJ6T+1Hm+WJ69M0+1VvPFc4LRD+c5GZG3TU=; b=Zqs4cJLjOmG8yU4BpgYy6yankTgEHl9DkHlH+tUtO08DKCQD8DrKaMt9 hk2eHo1tSqCX34PL2lO0EG81EkyYp/7jxNuHQm6na1sdAtFeVbdLhu615 6GPHRiZxZQvTfXiCjjUdlada/Ml2eanGnAaXDjw6w6PWPzr+2mE6xrDB0 A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CmBAALIyxV/4UNJK1cgwxSXAWDEMF+CYFGhgkCgT04FAEBAQEBAQF9hB8BAQEDASNVAQULCxgCAgUWCwICCQMCAQIBNQcJBgEMAQUCAQGIHgi3IZYbAQEBAQEBAQEBAQEBAQEBAQEBAQEBEwSBIYoKhBkKBwEGGDMHgmiBRQEEiy6JV4YWgR2DN4JEigeDTSKCAh2Bb1CBAgIHFwYcfwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,571,1422921600"; d="scan'208";a="140763572"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-8.cisco.com with ESMTP; 13 Apr 2015 20:17:09 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t3DKH9Gw018833 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 13 Apr 2015 20:17:09 GMT
Received: from [10.89.9.212] (10.89.9.212) by xhc-rcd-x12.cisco.com (173.37.183.86) with Microsoft SMTP Server (TLS) id 14.3.195.1; Mon, 13 Apr 2015 15:17:08 -0500
Message-ID: <552C2444.1070907@cisco.com>
Date: Mon, 13 Apr 2015 14:17:08 -0600
From: ⌘ Matt Miller <mamille2@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Peter Saint-Andre - &yet <peter@andyet.net>, Carl Wallace <carl@redhoundsoftware.com>, dot@dotat.at
References: <D1517899.32B98%carl@redhoundsoftware.com> <D15178CF.32BA3%carl@redhoundsoftware.com> <552C229C.1030701@andyet.net>
In-Reply-To: <552C229C.1030701@andyet.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.89.9.212]
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/tQWYxVlfEJ4NQPWXkFXYySEnjvk>
Cc: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] FW: secdir review of draft-ietf-dane-srv-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2015 20:17:13 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 4/13/15 2:10 PM, Peter Saint-Andre - &yet wrote: > Hi Carl, > > Thanks for your review and sorry about the trouble with the email > aliases. (Please note that I have not checked any of the proposed > text with my co-authors, so this is all provisional.) > Thanks for the review, Carl. I agree with my co-author's response and proposed changes. - -- - - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. > On 4/13/15 11:46 AM, Carl Wallace wrote: >> My attempt at using the tools address for all document authors >> failed, hence sending it directly. Please add secdir@ietf.org and >> iesg@ietf.org back to any reply. >> >> On 4/13/15, 1:43 PM, "Carl Wallace" <carl@redhoundsoftware.com> >> wrote: >> >>> I have reviewed this document as part of the security >>> directorate's ongoing effort to review all IETF documents being >>> processed by the IESG. These comments were written primarily >>> for the benefit of the security area directors. Document >>> editors and WG chairs should treat these comments just like any >>> other last call comments. >>> >>> The document is basically ready. A few minor nits are below. >>> The primary comment is that there are a few instances where >>> abbreviated certificate checks are cited and potentially mask a >>> need to do full certification path validation. >>> >>> Therefore this document provides guidelines that enable >>> protocols that rely on SRV lookups to locate and use TLSA >>> records. >>> >>> In section 1 - May be worth adding a note to the third bullet >>> to clarify that multiple target endpoints may be defined for a >>> given service domain, including a mix of endpoints that have >>> and do not have TLSA records. > > IMHO that's implicit, but maybe it would be clearer if we say > something like this: > > OLD o When DNSSEC-validated TLSA records are published for a > particular connection endpoint, clients always use TLS when > connecting (even if the connection endpoint supports cleartext > communication). > > NEW o When DNSSEC-validated TLSA records are published for a > particular connection endpoint, clients always use TLS when > connecting (even if the connection endpoint supports cleartext > communication or some SRV records for the service domain map to > connection endpoints that do not support TLS). > > Is that what you had in mind? Do you feel it's helpful? I'm not so > sure, myself. Instead, I wonder if the point would be better > handled by adding another bullet point, such as: > > o Although in accordance with [RFC2782] a service domain can > advertise a number of SRV records (some of which might map to > connection endpoints that do not support TLS), the intent of this > specification is for an endpoint to securely discover connection > endpoints that support TLS. > > Does that capture your suggestion? > >>> - Should the "always use" in the third bullet be "MUST use"? > > There is no normative text in the introduction. All of the > normative rules are contained in the body of the document. I'd > prefer to keep it that way. > >>> - May be worth clarifying in the fifth bullet that no usable >>> TLSA records for one target endpoint does not mean there are no >>> usable TLSA records for another target endpoint. The security >>> considerations address this point and the point in the first >>> bullet above, but it seems worth reenforcing in the body as >>> well. >>> >>> - Bullet 5 should reference RFC5280 alongside RFC6125 and/or >>> reference "non-DANE behavior" a la section 3.1 (but using the >>> target server hostname). > > Probably all of the bullet points in the introduction need to say > "usable TLSA record *for a given connection endpoint*" and then > have a bullet point at the end that says something like this: > > o If there are no usable TLSA records for any connection endpoint > (and thus the client cannot securely discover a connection endpoint > that supports TLS), the client's behavior is a matter for the > application protocol or client implementation; this might involve a > fallback to non-DANE behavior using the public key infrastructure > [RFC5280]. > >>> In Section 4.2 - Should this reference RFC6698 section 2.1 or >>> section 4? Section 4 seems like a better target to me. > > That does seem better. > >>> - Replace reference to "expiration checks from RFC5280" with >>> "validation checks from RFC5280" unless you mean for some forms >>> of 5280 checks to be honored here. Current wording could create >>> a misimpression that only expiration checks need be performed. > > Good point. > >>> In section 10.2 - In the last sentence, clients must also >>> validate the certificate back to the designated trust anchor, >>> not just check the reference identifiers. > > In RFC 6125 we had this paragraph: > > This document does not supersede the rules for certificate > issuance or validation provided in [PKIX]. Therefore, [PKIX] is > authoritative on any point that might also be discussed in this > document. Furthermore, [PKIX] also governs any certificate-related > topic on which this document is silent, including but not limited > to certificate syntax, certificate extensions such as name > constraints and extended key usage, and handling of certification > paths. > > Even though there's no reason why anyone should expect this > document to override RFC 5280 (and Section 10.2 is about matching > of subject names only), it can't hurt to reinforce the point... > > OLD Otherwise, while DNSSEC provides a secure binding between the > server name and the TLSA record, and the TLSA record provides a > binding to a certificate, this latter step can be indirect via a > chain of certificates. For example, a Certificate Usage "PKIX-TA" > TLSA record only authenticates the CA that issued the certificate, > and third parties can obtain certificates from the same CA. > Therefore, clients need to check whether the server's certificate > matches one of the expected reference identifiers to ensure that > the certificate was issued by the CA to the server the client > expects. > > NEW Otherwise, while DNSSEC provides a secure binding between the > server name and the TLSA record, and the TLSA record provides a > binding to a certificate, this latter step can be indirect via a > chain of certificates. For example, a Certificate Usage "PKIX-TA" > TLSA record only authenticates the CA that issued the certificate, > and third parties can obtain certificates from the same CA. > Therefore, clients need to check whether the server's certificate > matches one of the expected reference identifiers to ensure that > the certificate was issued by the CA to the server the client > expects (naturally, this is in addition to standard > certificate-related checks as specified in [RFC5280], including but > not limited to certificate syntax, certificate extensions such as > name constraints and extended key usage, and handling of > certification paths). > > Peter > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJVLCREAAoJEDWi+S0W7cO13tAH/25IN+jxGgB4FaxKYAiXlKfL ZwQFRz5/NV8MlW5ZByIkj0baoy9QbfJQxobUe9OR+kUT+qt9/x4v2Zmhlpz+xpKx xiOnh8dPJGa2112Ljnyc2MlbKdB6cBMYY85dvwtaD+YYtgDK2nNFy38hrebkLu8H kn6prwxxci8+chIo6fE5hF0c0KoEJ7Q8zCGZqwKbr6eAvgoqxfu9Ey2Wzki0jBCO Lq5A8ltRLyl0aUVNtBY3l+M1MSkDJ6RK35xqeYPNNamLz1XUN/A4uCpRRxzjc2Is +q+h9jr8UZPw6rX+IuoospP3zoOQoLBb0b26Pbtmgpkp66jnW4wPWKcNmr+AWLA= =SmS2 -----END PGP SIGNATURE-----
- [secdir] secdir review of draft-ietf-dane-srv-12 Carl Wallace
- Re: [secdir] FW: secdir review of draft-ietf-dane… Peter Saint-Andre - &yet
- Re: [secdir] FW: secdir review of draft-ietf-dane… ⌘ Matt Miller
- Re: [secdir] FW: secdir review of draft-ietf-dane… Peter Saint-Andre - &yet
- Re: [secdir] secdir review of draft-ietf-dane-srv… Carl Wallace
- Re: [secdir] secdir review of draft-ietf-dane-srv… Peter Saint-Andre - &yet