Re: [secdir] secdir review of draft-ietf-dane-srv-12
Carl Wallace <carl@redhoundsoftware.com> Tue, 14 April 2015 12:59 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BCCC1A908B for <secdir@ietfa.amsl.com>; Tue, 14 Apr 2015 05:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zn5PLHF-Dx8O for <secdir@ietfa.amsl.com>; Tue, 14 Apr 2015 05:59:18 -0700 (PDT)
Received: from mail-qk0-f182.google.com (mail-qk0-f182.google.com [209.85.220.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D511A907C for <secdir@ietf.org>; Tue, 14 Apr 2015 05:59:18 -0700 (PDT)
Received: by qku63 with SMTP id 63so17545047qku.3 for <secdir@ietf.org>; Tue, 14 Apr 2015 05:59:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=NSX82bEdXVILF9yjVVuhGa766ylDm/6z+flh/V9F8xI=; b=X96OqArTk5nYDTTXX2zmM/OWVBbE6RB/hsZibPU7Ua/7ToWQ1vpc+AlSqmYqPdhO80 qgjNwZ/GL8y4fv+Iq5OEHHZnTe+eKJE91GvkohFUeehAuJTbF9Cb/o1SGniU3AKQzac7 4EmqAB+f+RM/hBzYNgbTzyGwMqt1IMqv5lqnTr8ALCw5VahqHWU/j0v7XZBrwsl+v3DM 3k+/UCwkgLg8k2Fs+AwpPBDrYB9TeqNGWlVAV5nHdSPz35s+veTfOkhmGErz2YscysKt /LzjWwRPVKJB1ZGA4mLq21A054b8q0wseFiuVWF/A7+IWJJpaq/n9A5p8FMVXAEietn3 +iwQ==
X-Gm-Message-State: ALoCoQn/C7TwsdIoJQ4s98sdL0mC4+VmdO5fcbUWy26syicBhg/KW3/xOhBn+xgtEqjKQlbTXiRt
X-Received: by 10.55.31.137 with SMTP id n9mr39986970qkh.91.1429016337096; Tue, 14 Apr 2015 05:58:57 -0700 (PDT)
Received: from [192.168.2.27] (pool-96-241-148-223.washdc.fios.verizon.net. [96.241.148.223]) by mx.google.com with ESMTPSA id a6sm630595qgf.17.2015.04.14.05.58.54 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 14 Apr 2015 05:58:56 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Tue, 14 Apr 2015 08:58:52 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Peter Saint-Andre - &yet <peter@andyet.net>, mamille2@cisco.com, dot@dotat.at
Message-ID: <D1528310.32CC0%carl@redhoundsoftware.com>
Thread-Topic: secdir review of draft-ietf-dane-srv-12
References: <D1517899.32B98%carl@redhoundsoftware.com> <D15178CF.32BA3%carl@redhoundsoftware.com> <552C229C.1030701@andyet.net>
In-Reply-To: <552C229C.1030701@andyet.net>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/z5TaYKbkKAkB9hVKBC6QXqaOUr0>
Cc: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-dane-srv-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 12:59:20 -0000
On 4/13/15, 4:10 PM, "Peter Saint-Andre - &yet" <peter@andyet.net> wrote: <snip> >>> In section 1 >>> - May be worth adding a note to the third bullet to clarify that >>>multiple >>> target endpoints may be defined for a given service domain, including a >>> mix of endpoints that have and do not have TLSA records. > >IMHO that's implicit, but maybe it would be clearer if we say something >like this: > >OLD > o When DNSSEC-validated TLSA records are published for a particular > connection endpoint, clients always use TLS when connecting (even > if the connection endpoint supports cleartext communication). > >NEW > o When DNSSEC-validated TLSA records are published for a particular > connection endpoint, clients always use TLS when connecting (even > if the connection endpoint supports cleartext communication > or some SRV records for the service domain map to connection > endpoints that do not support TLS). I think you are right a second bullet is better but if changing this maybe: When DNSSEC-validated TLSA records are published for a particular connection endpoint, clients always use TLS when connecting to that connection endpoint even if the endpoint supports cleartext communication. > >Is that what you had in mind? Do you feel it's helpful? I'm not so sure, >myself. Instead, I wonder if the point would be better handled by adding >another bullet point, such as: > > o Although in accordance with [RFC2782] a service domain can > advertise a number of SRV records (some of which might map to > connection endpoints that do not support TLS), the intent of this > specification is for an endpoint to securely discover connection > endpoints that support TLS. > >Does that capture your suggestion? Mostly, though I was thinking of endpoints that supported TLS but did not publish TLSA. The new bullet seems a little out of sync with the security considerations w.r.t. the intent of the spec, which claims no special effort is made to accommodate mixed results. Maybe: In accordance with [RFC2782] a service domain can advertise a number of SRV records (some of which might map to connection endpoints that do not support TLS or that support TLS but do not publish TLSA records), this specification enables clients to securely authenticate connection endpoints that support TLS and publish TLSA records. > >>> - Should the "always use" in the third bullet be "MUST use"? > >There is no normative text in the introduction. All of the normative >rules are contained in the body of the document. I'd prefer to keep it >that way. Right. That makes sense. I forgot that was introductory text. <snip> > >>> In section 10.2 >>> - In the last sentence, clients must also validate the certificate back >>> to >>> the designated trust anchor, not just check the reference identifiers. > >In RFC 6125 we had this paragraph: > > This document does not supersede the rules for certificate issuance > or validation provided in [PKIX]. Therefore, [PKIX] is authoritative > on any point that might also be discussed in this document. > Furthermore, [PKIX] also governs any certificate-related topic on > which this document is silent, including but not limited to > certificate syntax, certificate extensions such as name constraints > and extended key usage, and handling of certification paths. > >Even though there's no reason why anyone should expect this document to >override RFC 5280 (and Section 10.2 is about matching of subject names >only), it can't hurt to reinforce the point... > >OLD > Otherwise, while DNSSEC provides a secure binding between the server > name and the TLSA record, and the TLSA record provides a binding to a > certificate, this latter step can be indirect via a chain of > certificates. For example, a Certificate Usage "PKIX-TA" TLSA record > only authenticates the CA that issued the certificate, and third > parties can obtain certificates from the same CA. Therefore, clients > need to check whether the server's certificate matches one of the > expected reference identifiers to ensure that the certificate was > issued by the CA to the server the client expects. > >NEW > Otherwise, while DNSSEC provides a secure binding between the server > name and the TLSA record, and the TLSA record provides a binding to a > certificate, this latter step can be indirect via a chain of > certificates. For example, a Certificate Usage "PKIX-TA" TLSA record > only authenticates the CA that issued the certificate, and third > parties can obtain certificates from the same CA. Therefore, clients > need to check whether the server's certificate matches one of the > expected reference identifiers to ensure that the certificate was > issued by the CA to the server the client expects (naturally, this > is in addition to standard certificate-related checks as specified > in [RFC5280], including but not limited to certificate syntax, > certificate extensions such as name constraints and extended key > usage, and handling of certification paths). Seems fine.
- [secdir] secdir review of draft-ietf-dane-srv-12 Carl Wallace
- Re: [secdir] FW: secdir review of draft-ietf-dane… Peter Saint-Andre - &yet
- Re: [secdir] FW: secdir review of draft-ietf-dane… ⌘ Matt Miller
- Re: [secdir] FW: secdir review of draft-ietf-dane… Peter Saint-Andre - &yet
- Re: [secdir] secdir review of draft-ietf-dane-srv… Carl Wallace
- Re: [secdir] secdir review of draft-ietf-dane-srv… Peter Saint-Andre - &yet