[TLS] Enforcing Protocol Invariants

Ryan Carboni <ryacko@gmail.com> Thu, 08 November 2018 08:44 UTC

Return-Path: <ryacko@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0197A130E0E for <tls@ietfa.amsl.com>; Thu, 8 Nov 2018 00:44:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWQRYysP8Hoz for <tls@ietfa.amsl.com>; Thu, 8 Nov 2018 00:44:19 -0800 (PST)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8818D130E6D for <tls@ietf.org>; Thu, 8 Nov 2018 00:44:18 -0800 (PST)
Received: by mail-yb1-xb36.google.com with SMTP id p144-v6so8001194yba.11 for <tls@ietf.org>; Thu, 08 Nov 2018 00:44:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=AgAdBmBH71E7tXrDv1hhvL4TdEzD/GUN0pI0j8Kmh1I=; b=SMTmpwKBB5gx3q83KqxV8iDuUr467/xpg/1Ron/ZMrEjpq7F0PMPmBUE59CnHrMHfr j/wKzkcafVgQYtcDz4z8D8FxovMxqzu1C3P5DItqIaP3+K2uM+3jN/EfrKm+o0L+bDIk bT1ZguzP+cbDkc6Y/GD2ZGIR02S6Qy//UTa0i0GKOzK7lrroXRiIqITtcibSxNNVncMC 00ijVa6maflxd4EQC7Una76DxStILIld/vBTkuUJxi0WfGk0Cj8NJrwlyHgbCl0WA8L+ oy3QtBa6AZXFD0iOexNfwkeEIs/xr11gto7bgFj9cdqhBai7dgSfWhzOtXF3ZRAO/ySe JxsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=AgAdBmBH71E7tXrDv1hhvL4TdEzD/GUN0pI0j8Kmh1I=; b=X8F+CnBh5YZivlNvfk7d+9DFeLwf67r78wzi7E2f8jmTspa7QdOJQJBPr8mi2AGgzK 0NCUHzaY8mTZ0PdUPhrx1dOJo9ikBX2hNgvp0yZ4NsWd2TFoFE2E7d4L3pGhMBkcNC/b GzsL6dOTUc7FX/gAVXiR6/DV8snbTNp0pLgvPgB1wMi7ZJJ+9jQ4mex3gXwgDpVSDJWY nLO2RyBDS8v5HEwVq9v+evMC+DlztD0G91zFbaXhxzcJ+enCuyBR1e7BUf4yYx8jsLyU nnd4fbsS04rtC38gga2v7p7X7LOnudr8wD7p4WAYuZrS5bJIgLEEcZZmTbb1VBUd9fOU QRag==
X-Gm-Message-State: AGRZ1gLpkBMWu94e6PmYD0uh7j8gPhcboNBeEK0IjowEvSBuIUZapvDb hbUxF02k3rRg1XT+Uncu1m9vQvYValxkZdLiQJC+sQ==
X-Google-Smtp-Source: AJdET5c6rurJQmrgw6VVYQx4f6J/8pufianSMmtbZvQZQnOIKYge+9HPWyXrshYyVDxxwgNVFtEfe51KUqNC1uzk6do=
X-Received: by 2002:a25:5342:: with SMTP id h63-v6mr3361296ybb.473.1541666657452; Thu, 08 Nov 2018 00:44:17 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a0d:ffc7:0:0:0:0:0 with HTTP; Thu, 8 Nov 2018 00:44:16 -0800 (PST)
From: Ryan Carboni <ryacko@gmail.com>
Date: Thu, 08 Nov 2018 00:44:16 -0800
Message-ID: <CAO7N=i0g9d9x5RdF_guKm3GDAxVRHSV+eHffs6kiJm6dWO7tvw@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007ac9b3057a233d9d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2L78qdwtUrTqc-I4hMbVf1R7gNc>
Subject: [TLS] Enforcing Protocol Invariants
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 08:44:23 -0000

Hmm. TLS has gotten too complex. How does one create a new protocol? Maybe
we should ask Google.

The SSHFP DNS record exists. DNSSEC exists.

This might be a radical proposal, but maybe the certificate hash could be
placed in a DNS TXT record. In another DNS TXT record, a list of supported
protocols could be listed.
A DNS SRV record would define the port that one can use to connect to a
service, because the URL scheme died after .onion was recognized as a
domain and after chromium decided to that the presentation of sub domains
was unimportant. So no browser has to show which port it is connected to.
Although, to be radical, all anyone needs is RSA-2048, ephemeral DH-3072,
and SHAKE-128 as AEAD.
And maybe recommend that boot entropy could be obtained by using the timer
entropy daemon for one second (and which would in theory provide enough
entropy for perpetuity).

This isn’t rocket science. The state of cyber security is a horrible
disappointment.