IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Nico Williams <nico@cryptonector.com> Thu, 05 April 2018 03:30 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BFCF129BBF for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 20:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qU2lLRi8_TVU for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 20:30:06 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C68A126B6D for <tls@ietf.org>; Wed, 4 Apr 2018 20:30:06 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id C3D68A00400F; Wed, 4 Apr 2018 20:30:05 -0700 (PDT)
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 6EA41A000B3C; Wed, 4 Apr 2018 20:30:05 -0700 (PDT)
Date: Wed, 04 Apr 2018 22:09:46 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: TLS WG <tls@ietf.org>
Message-ID: <20180405030945.GN25259@localhost>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <EDB0F480-1272-4364-9A3D-23F9E1A02141@dukhovni.org> <CABkgnnWBdp=KtmBVDcrR9-5tdVPfhWG7pWR0FE57H=iWS37dWw@mail.gmail.com> <C52564E1-ABCD-4E1A-8517-19743BD2180B@dukhovni.org> <CABcZeBMcvtQ6Ko-2Rmoq3BSVBOqdQwJ65vVrPK0cpSJ9nQCS3w@mail.gmail.com> <20180405022007.GG25259@localhost> <CABcZeBMGdXPF9if8Z_Gnc5MoOrZAOPEV2K3i5Bd_ewC6fdxOEg@mail.gmail.com> <20180405023456.GK25259@localhost> <CABcZeBM8MPMhpb9LpqkWAV7LmsUabk3Q7CtxLFaFMFLQVg-H0g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBM8MPMhpb9LpqkWAV7LmsUabk3Q7CtxLFaFMFLQVg-H0g@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1tGkeB0rs-aYOYvTqBFJC3SNkVw>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 03:30:10 -0000

On Wed, Apr 04, 2018 at 08:06:42PM -0700, Eric Rescorla wrote:
> On Wed, Apr 4, 2018 at 7:34 PM, Nico Williams <nico@cryptonector.com> wrote:
> 
> > > HPKP had a TTL and yet as a practical matter, people found it very
> > > problematic.
> >
> > I can see why: you have to commit to one certificate in the chain not
> > changing.
> 
> No, this isn't correct, in two respects.
> 
> 1. HPKP pins the SPKI, not the certificate, it's about the *key* not
> changing, and intermediates and roots change quite infrequently.
> (https://tools.ietf.org/html/rfc7469#section-2.1.1)

Either way it's the same impact: you cannot roll that key over.

Whereas with pin-to-DANE there's no such problem.  I thought I made that
clear.

> 2. It's not one key. HPKP allowed you to pin multiple keys and in fact
> *required* you to set a backup pin
> (https://tools.ietf.org/html/rfc7469#section-2.5)

The problem remains: you're pinning to key material, which complicates
key management.

> Whereas here you only have to commit to continue to publish
> > TLSA RRs (and signing them and your zone).  This is a big difference.
> >
> 
> I don't think that's it all obvious that this is going to be easier to
> guarantee, especially given the rather high DNSSEC misconfiguration
> rate
> (https://link.springer.com/content/pdf/10.1186%2Fs13388-015-0023-y.pdf,
> https://indico.dns-oarc.net/event/14/contribution/14/material/slides/0.pdf).

I flubbed that up a bit.  With the pin you commit to continue to using
this extension for as long as the clients have pinned it (which you
control via the TTL).  You can actually stop signing your zone provided
that you continue to use the extension.

> > And, of course, if you're concerned with hijacking attacks, the
> > > hijacker will just advertise a very long TTL.
> >
> > But it's a TOFU-ish thing.  The server impersonator has to have the
> > right timing or else be detected -- that's very risky for them, and a
> > deterrent to even trying.  It's not fool-proof, but it's not nothing
> > either.
> 
> Given that the motivation for this kind of hijacking was generally
> expected to be vandalism or ransom, this doesn't seem very comforting.

The motivation for opportunistically using this is to be able to
incrementally deploy DANE for HTTPS (and browsers).  Without that it
won't get deployed at all for HTTPS.

Nico
--

v2.15.0 | Report a Bug | By Email