Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Nico Williams <> Thu, 05 April 2018 03:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A40A8127077 for <>; Wed, 4 Apr 2018 20:22:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NPq8Kwcr-Fud for <>; Wed, 4 Apr 2018 20:22:58 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5E881126B6D for <>; Wed, 4 Apr 2018 20:22:58 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id E2775A004012; Wed, 4 Apr 2018 20:22:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=K/sH8qed+cl5hf LAKjeMU9tRE3E=; b=s+jFhhySSAPMn9/spbFaSr/gJCI0BkaWRPLfjRcQrstu3e J+64f4ZOOAnrngVuBupEc/fHj5+ZuaKMEETb6bpLoVPAejUvno/YGTN1YBOW1P8n PdAlVTM6ZMW+PyT5pfXInC5v31NQR8o0KKs1Vc035mYwsO6/qIM653f27tl8w=
Received: from localhost ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 86449A00400F; Wed, 4 Apr 2018 20:22:57 -0700 (PDT)
Date: Wed, 04 Apr 2018 22:03:20 -0500
From: Nico Williams <>
To: Richard Barnes <>
Cc: Eric Rescorla <>, "<>" <>
Message-ID: <20180405030320.GM25259@localhost>
References: <> <> <> <> <20180405022007.GG25259@localhost> <> <> <20180405023106.GJ25259@localhost> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Apr 2018 03:23:00 -0000

On Thu, Apr 05, 2018 at 03:04:03AM +0000, Richard Barnes wrote:
> And just to be clear, by "downgrade attack", you mean "normal PKI
> authentication that we rely on today".  There's nothing in here that

It's NOT that using WebOKI is a downgrade.

It's that if an operator wants to use DANE (with any usage), then they
want to use DANE.  If an impersonator can make that not happen, it's a
downgrade from the operator's perspective (because they then don't get
what they wanted).

> degrades security (except maybe the legacy crypto in the DNS); it's
> just not meeting the bar that you are setting.   That doesn't mean
> there's not still some utility to be had.

Nonsense.  The operator wants DANE?  They should be able to get it.  If
an active attacker can make that not happen at will, then that is and
can only be called a downgrade attack.  Waving your hands doesn't make
this go away.  The WebPKI's security is irrelevant to this discussion.
Only the server operator's desired outcome is relevant.  If they can't
get it, then this protocol is not useful to them.  And this protocol is
all about using DANE in TLS applications!!!