Re: [secdir] [dane] SecDir Review of draft-ietf-dane-ops-12

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 13 July 2015 04:01 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0132F1A1A0C; Sun, 12 Jul 2015 21:01:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avyQhruVr6pw; Sun, 12 Jul 2015 21:01:00 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C7831A19E4; Sun, 12 Jul 2015 21:01:00 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 2E0A4284D6A; Mon, 13 Jul 2015 04:00:59 +0000 (UTC)
Date: Mon, 13 Jul 2015 04:00:59 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: Paul Wouters <paul@nohats.ca>
Message-ID: <20150713040058.GJ28047@mournblade.imrryr.org>
References: <C0E0A32284495243BDE0AC8A066631A818C43CD4@szxeml557-mbs.china.huawei.com> <20150711164349.GP28047@mournblade.imrryr.org> <alpine.LFD.2.11.1507122242200.3522@bofh.nohats.ca> <20150713032950.GI28047@mournblade.imrryr.org> <alpine.LFD.2.11.1507122331280.3522@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.11.1507122331280.3522@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/w73Ht4o9ABXHAbWCcnNpFCp98-g>
Cc: IETF Security Directorate <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, dane@ietf.org
Subject: Re: [secdir] [dane] SecDir Review of draft-ietf-dane-ops-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 04:01:02 -0000

On Sun, Jul 12, 2015 at 11:37:07PM -0400, Paul Wouters wrote:

> >DANE-EE(3) certs are often self-signed, and there's no way to
> >control the "spam" problem on the CT logs with DANE-EE(3).
> 
> You don't know what audit logs will use for policies. Perhaps some
> audit logs will be dedicated to only self-signed certs. I do not
> think the dane document should dictate CT behaviour.

The problem is that the CT documents are otherwise liable to dictate
DANE behaviour.  For example, require SCTs in DANE-EE validated
certs.  That would be unfortunate.  This document notes that the
present experimental CT in RFC 6962 is inapplicable to DANE.

CT logs that record leaf certificates would be essentially useless,
A rogue TLSA RRset with a "3 1 1" binding will work regardless of
the certificate content, just based on the public key.  A misissued
TLSA RRset will bind a certificate that contains no information as
to which domain was compromised.  Here's a certificate with an
empty subject and issuer name, what will the CT log make of that?

-----BEGIN CERTIFICATE-----
MIIBRjCB7aADAgECAgkAleIk6aMkXRwwCgYIKoZIzj0EAwIwADAeFw0xNTA3MTMw
MzUwNTlaFw0xNTA4MTIwMzUwNTlaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AAR50eOHUyMeHOMJNZTIXuj4QBJRbQrOLbYIftmZwzatO3/rG5BRyuUIfTQnzAq5
3K7A1pfq4hfseiOfT6prKKIVo1AwTjAdBgNVHQ4EFgQU7GD7zL/aLrBUaQIIKksc
cc6or+0wHwYDVR0jBBgwFoAU7GD7zL/aLrBUaQIIKksccc6or+0wDAYDVR0TBAUw
AwEB/zAKBggqhkjOPQQDAgNIADBFAiBr51OuJXf8N4Z79rStIXCIuYm6drChz39G
RBWvumsuhgIhANoW5K3bSqIFpIp2aXzH2PiiSgxnC3T9Mp5O70tXGS4L
-----END CERTIFICATE-----

And yet it will match

    _25._tcp.smtp.example.com. IN TLSA 3 1 1 20041CBFD6570C48ACD8D526572137B9090E8037D115FB3C21218D9E9992A9C2

The *only* way to do CT for DANE TLSA is to do CT for DNS, and there
is no CT for DNS in RFC 6962.

> >Furthermore such a certificate is only ever "rogue" if DNSSEC is
> >compromised to publish rogue TLSA RRs.
> 
> Not if they use a CT log for prepublishing somehow. Although that is
> unlikely to happen with SCT's without a CA, I still think you should
> not make those decisions on this document.

It is not a policy decision, it is just logic.  The impossible
cannot be done.

> >You're confused.  The server is free to ignore the client's SNI
> >extension when it has a single certificate that works for all hosted
> >domains, because clients authenticate the server via the certificate
> >or key digest, and don't care about what name is in the certificate.
> >We're not modifying TLS, we're explaining that the server is free
> >to ignore the client's SNI extension.
> 
> How is that not modifying TLS server behaviour?

It is not modifying the TLS protocol, servers are already free to
ignore SNI and return whatever certificate chain they please.  This
document explains that with DANE-EE(3) this yields results that
are satisfactory to the client.

As for modifying TLS, we're for example mandating the transmission
of self-signed roots with DANE-TA(2), and that too is within the
realm of what TLS can do, we're just defining a behaviour profile
that makes DANE-TA(2) work (it does not otherwise).

-- 
	Viktor.