IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Eric Rescorla <ekr@rtfm.com> Thu, 05 April 2018 03:40 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF0A412785F for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 20:40:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaiP9635h1ZK for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 20:40:18 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B038A127369 for <tls@ietf.org>; Wed, 4 Apr 2018 20:40:18 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id l190-v6so21277422oig.9 for <tls@ietf.org>; Wed, 04 Apr 2018 20:40:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Cczk1tecwH10LG5UktJf0g9Xj37Mrt7l0wZh9QIQuWo=; b=vWQI921Lk/LQ3JbBNvfmh12UyQxQpYGkrMvt+KvAWnYSXidhUUQlJA7Xqyogi96znS kKRnSPOvIO6mswPKB87l4eCh5ydoWclLedH2BzoWPUSTjI8KbsecgNc7akbf7mh4O8Bd oLtbgKXLk1Qes+HgdIpMy1QfNaS9jl7cHt7dX294loEyIuYOq3HgL30iZT42HxYIn8nD Umo2QHl6wZYC3I9KfWBoypOpsf26xdRVEMxRXpA5wM7DgwXDobEqcJDrJuLzUtrgtInh 2SKJlOhT7xQOMSThuWBwP3mNR7E7D6Amg0+dqHX0FsuoZBZWBY0nUUK0Cbi96kBq5zs6 W2NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Cczk1tecwH10LG5UktJf0g9Xj37Mrt7l0wZh9QIQuWo=; b=qqHx5MPG05N9qQxwfXhoAmRVqKqvqX95u5QnpZmjbKjTD+veRc4l/HFvNDK5xRbPkz eVYmtZIoQJ5AqfAOeQ4ZcD7/Hvxg2fcUbTafmjjTLYqerQ7qRgOL0zScKNpBswXIOp3T ikhjtX9FJvQpE0Aff/InaLg9+233iUjrkxsrvPP76RrSLOW2RQFrWlATOULHETJNCiNf sYjdTWNJUMqJZhkJq8hMX27YKR3LwT+HyxVRDVMVGU6xPXHNCPYbQ6SHExPefaqAYVy0 BbUgTCFaKm2tCQx/wDGgE3NWfdHbJ4jvw8lrVJ48upueGhnMVmsA8tc4j4nA7gux+1ka FugQ==
X-Gm-Message-State: ALQs6tCs+vkJfkiHWB0ZkK/bCZ07JrUJm26/aimgYQlxnesgQGGF66/m 1laXE7qplnUx3s0V9wDKvq7MHfSKBWwPmemTS59QXw==
X-Google-Smtp-Source: AIpwx4+xlbUm2ioVI8sHuH6iLRj/UrNrx0C0f/qrWfYT2/OklzQhd34JhtGcyETaxtVIDLvnQSGNoyMFUew2hs82MSY=
X-Received: by 2002:aca:544b:: with SMTP id i72-v6mr12365471oib.262.1522899617977; Wed, 04 Apr 2018 20:40:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.138.18.130 with HTTP; Wed, 4 Apr 2018 20:39:37 -0700 (PDT)
In-Reply-To: <20180405030945.GN25259@localhost>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <EDB0F480-1272-4364-9A3D-23F9E1A02141@dukhovni.org> <CABkgnnWBdp=KtmBVDcrR9-5tdVPfhWG7pWR0FE57H=iWS37dWw@mail.gmail.com> <C52564E1-ABCD-4E1A-8517-19743BD2180B@dukhovni.org> <CABcZeBMcvtQ6Ko-2Rmoq3BSVBOqdQwJ65vVrPK0cpSJ9nQCS3w@mail.gmail.com> <20180405022007.GG25259@localhost> <CABcZeBMGdXPF9if8Z_Gnc5MoOrZAOPEV2K3i5Bd_ewC6fdxOEg@mail.gmail.com> <20180405023456.GK25259@localhost> <CABcZeBM8MPMhpb9LpqkWAV7LmsUabk3Q7CtxLFaFMFLQVg-H0g@mail.gmail.com> <20180405030945.GN25259@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 04 Apr 2018 20:39:37 -0700
Message-ID: <CABcZeBNJE+iCccpCt0-BgP79q7eaR6atVQDKF9GmwadiSV=5iA@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c22d0e056911b2f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7Pr3G1ut_2LE42NmWIIa1wY9W2U>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 03:40:21 -0000

On Wed, Apr 4, 2018 at 8:09 PM, Nico Williams <nico@cryptonector.com> wrote:

> On Wed, Apr 04, 2018 at 08:06:42PM -0700, Eric Rescorla wrote:
> > On Wed, Apr 4, 2018 at 7:34 PM, Nico Williams <nico@cryptonector.com>
> wrote:
> >
> > > > HPKP had a TTL and yet as a practical matter, people found it very
> > > > problematic.
> > >
> > > I can see why: you have to commit to one certificate in the chain not
> > > changing.
> >
> > No, this isn't correct, in two respects.
> >
> > 1. HPKP pins the SPKI, not the certificate, it's about the *key* not
> > changing, and intermediates and roots change quite infrequently.
> > (https://tools.ietf.org/html/rfc7469#section-2.1.1)
>
> Either way it's the same impact: you cannot roll that key over.
>
> Whereas with pin-to-DANE there's no such problem.  I thought I made that
> clear.
>

Yes, I agree that you're relying on a different guarantee from your parent
zone, I just don't think it's particularly obvious that that guarantee is
easier
to ensure, for the reasons I indicated previously.


> > And, of course, if you're concerned with hijacking attacks, the
> > > > hijacker will just advertise a very long TTL.
> > >
> > > But it's a TOFU-ish thing.  The server impersonator has to have the
> > > right timing or else be detected -- that's very risky for them, and a
> > > deterrent to even trying.  It's not fool-proof, but it's not nothing
> > > either.
> >
> > Given that the motivation for this kind of hijacking was generally
> > expected to be vandalism or ransom, this doesn't seem very comforting.
>
> The motivation for opportunistically using this is to be able to
> incrementally deploy DANE for HTTPS (and browsers).  Without that it
> won't get deployed at all for HTTPS.
>

I don't see how this is responsive to the concern that this technique will
be used for hijacking.

-Ekr


> Nico
> --
>

v2.15.0 | Report a Bug | By Email