IETF Logo Mail Archive

Re: [Secdispatch] GNU Name System

Jon Callas <jon@callas.org> Fri, 24 July 2020 01:12 UTC

Return-Path: <jon@callas.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABEFD3A076C for <secdispatch@ietfa.amsl.com>; Thu, 23 Jul 2020 18:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=callas.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lIDbsrmW3BJq for <secdispatch@ietfa.amsl.com>; Thu, 23 Jul 2020 18:12:16 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B4033A0772 for <secdispatch@ietf.org>; Thu, 23 Jul 2020 18:12:16 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id w126so3961641pfw.8 for <secdispatch@ietf.org>; Thu, 23 Jul 2020 18:12:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=callas.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=l2EsPj5rj3+CLk94KVhb4xGlnZZFlguATb5RlStL5xI=; b=BP1zbYy78k0mD11jXF7apLY9q8/NjbB167qVtnfl/982XpBuZdslits6U3cnUki0s3 jZFKFB+1+nYCf0D2zOQM6cLFcdBGBoz+exA3vROz2874dXFv1H0VjPqdDvXaxRL44F62 GxHrlpq5b76xqJJHwUkayQb+a8V562aUOdMF//WMZ/Vpdlxt5NvsYptxouGL0ZpX91Il oWqM+oMyht6TKpZLDPvuCVYhdiX+UJmN/p02idsA89Jz9d8NMIv7lv8fxNpq7YazVBwh JoMtum6x2/k2JUF8hW7wdXqgW67xsmVZA9rXH5o5QvDtwi/50Xpv4es0hTtBCjvbj8D+ twTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=l2EsPj5rj3+CLk94KVhb4xGlnZZFlguATb5RlStL5xI=; b=GnXm3VJbsqihdcILyytKiYdFy7Lml4cwl0qcmFdsGzl2bquacEqAzkmxYzi0bQhR+s 77+UG3MrKUslQEAtJcc3UKN9sK0eKQke/dUFEkUJetqEdgKKApatR8fpHN7Ff5TxG1Gu ep29n345hOKFB4vp4jLTNwxLkJJjyuddtmSfP1en5RyyjOXrDZ5h58r+n0Sh1S3JXSV1 Sls2f1sF/q9b4b+ybY5Lwc+6+WlxPzDSnveme061shOIDJr63DROBKoUHv+LVnRi1nEC HShBpwJl1+IQxOd7lZMl7Zgk6NiStRUO0eLsYIHWZOsMzKZU9rlWTMFspmCkDQqV9g86 2JUQ==
X-Gm-Message-State: AOAM530z3C98K1qjFuuyAAr2N36l1Bdqtl04jGCJr7TbwSLdF/RJCGmL yy4a0UHP9bKb8vtw6p+DxlfXyqUABefUUw==
X-Google-Smtp-Source: ABdhPJxaNNMfDZ8TIalX+fAZJwwNvZP5sudfWicyrRnHAIANrIOcf71vGRfxHTUB1nbUs5ZfBO9r7A==
X-Received: by 2002:a65:6714:: with SMTP id u20mr6570528pgf.121.1595553135444; Thu, 23 Jul 2020 18:12:15 -0700 (PDT)
Received: from ?IPv6:2600:1700:38c4:12bf:f579:6371:4362:c1bf? ([2600:1700:38c4:12bf:f579:6371:4362:c1bf]) by smtp.gmail.com with ESMTPSA id j16sm4230911pgb.33.2020.07.23.18.12.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jul 2020 18:12:15 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <31625.1595368614@localhost>
Date: Thu, 23 Jul 2020 18:12:14 -0700
Cc: Jon Callas <jon@callas.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <707BC467-05E0-43C9-AF86-AE741E4E26FD@callas.org>
References: <31625.1595368614@localhost>
To: "secdispatch@ietf.org" <secdispatch@ietf.org>, "draft-schanzen-gns@ietf.org" <draft-schanzen-gns@ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/ti7Lh8oBy4qc0wNNmcUPmwHS810>
Subject: Re: [Secdispatch] GNU Name System
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2020 01:12:19 -0000

I've also read through the GNS draft and have some comments:

* Like Michael Richardson, I have a great love for SDSI and love to see it used. I think there's a large discussion we should have about what the use cases can and should be. Alternate roots etc. are an issue, but I'm not sure it would be so bad to be able to say "ICANN's ietf.org" other than that it implies there could be someone else's "ietf.org" and that this is obviously problematic, particularly in how it would enable things like phishing. I take the opposite take on user experience. Protocol documents shouldn't be talking UX. Anyway, I think there's a discussion point as to whether this is a good idea. As much as I would like to be able to say "the media server I have at home" (for a number of reasons, not the least of which that that implies I'm not at home"), it's not clear this is really a good idea in the general case. My security auditor's mind is having a field day in thinking of cool (meaning confusing or malicious) ways to use this. Yet, I think it's a discussion point.

* If this gets put into a working group, I think it needs an IETF name for it, not GNS and not something that contains "GNU." Other standards have had their institutional links filed off; SSL became TLS, SSH became SECSH. Notably, OpenPGP did not, and I think that this was unfortunate. Despite all good intentions at the time, it's created confusion, and I say that as an RFC editor and as an implementer. There's nothing wrong with GNUnet's GNS being a reference implementation of <protocol>, and my advice to both the IETF and the GNS people, you'll be happier if you change the protocol name.

* There are a number of eccentric things in the protocol now. I don't mean that as a pejorative -- there are lots of eccentric things I like, SDSI, for example. I also like CFB mode as well as Twofish. Why, though, are they here? Are the design decisions leading to these? There's not a lot in the draft about these decisions. In general, it's better to stick to the well-trodden paths, to pick algorithms, modes, etc. that are in common use. In specific there are often reasons to do something on its own; I can see that a naming system might have reasons for going its own way. We just need a discussion of them. New code, new algorithms mean new bugs. If you can write about these decisions, "Most people do X, we are doing Y, because Z" that helps understand why the decisions are there. Some can be guessed -- CFB means no CBC padding, and no keying issues of a stream cipher like CTR mode. Tell us, though. I also really want to see what's going on and why with the record data encryption ini 4.3. 

* There are a number of other features in this that are interestingly eccentric, but leave me with a raised eyebrow. For example, a resource record for a VPN. That's interesting, but why? Zone revocation with proof-of-work -- why, as time and time again proof-of-work proves not to work? (I refer also to section 9.5 where you recommend pre-generating proofs of work. Where should these be stored, how should they be protected?) 

* The Security considerations need more work. 9.1 discusses the ECDSA decision, but not other crypto considerations. It refers us to the relevant papers without really saying more.  

9.2 points out that unrestricted Unicode names can lead to phishing, but says nothing more than, "zone administrators must take into account this attack vector and incorporate rules in order to mitigate it." That's not helpful. Or perhaps, 'this enables phishing, and it's your problem not ours, and we're not going to tell you what to do' is the actual security consideration. The second paragraph essentially says that protocol prevents taking down phishing site because authoritarian governments are bad. Um, okay.

9.3 is also pretty scary, a direct quote (and not my paraphrase) is: "Zone administrators, and for GNS this includes end-users, are required to responsibly and dilligently [sic] protect their cryptographic keys." That's a pretty big security consideration that everyone has to do their own key management and get it 100% right.

I do have a question -- what happens if the keys are lost? Does this mean the domain is essentially gone forever? I can't quite tell.

9.4 says that we need to pick the right DHT, if we pick the wrong one bad stuff will happen, and if we pick different ones interoperability is "unlikely."

I don't have further things to say about revocations, except that it's tetchy and brittle, by design.

All in all, the security considerations don't leave me thinking this is anything like a safe protocol.

* Despite all my comments above, I think that there's something interesting in the protocol and the issues can be fixed. Nonetheless, this is being positioned as an Informational RFC and I think that's a bad idea. This should either be standards track or continue to be off on its own and not part of the IETF.

The major risk is that this is an alternative to DNS that could lead to fragmentation of the most basic service on the Internet, naming. Yet it requires everyone to do key management perfectly and optimizes against easy management through proof of work and so on. I know I've done silly things managing my own DNS, and it seems that I'd be unhappily doing proof-of-work to undo every typo.

There are exciting ideas here. I believe that many of the issues I've brought up have relatively simple solutions. I also believe that it's no where near ready to deploy or standardize in the IETF. An informational RFC is not a good idea; this is too big and too experimental for that. While we in the IETF understand the difference, most people think and RFC is an RFC is an RFC is an RFC. The belief is that informational RFCs are standards. (Again, I am a sinner here, too. I have at times gotten tired of saying "informational" when someone incorrectly says "standard" and just let them go on.)

The agenda for Secdispatch says simply that this item is, "objective: find a home at IETF" which seems to be presupposing that the decision is not if it should be in some working group, but which one. I think it's premature for that. Much more work needs to be done.

	Jon

v2.23.0 | Report a Bug | By Email