IETF Logo Mail Archive

Re: [TLS] Make DANE-TLS (RFC 6698) mandatory for TLS

Ryan Sleevi <ryan-ietftls@sleevi.com> Tue, 16 October 2018 01:45 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BD0F1277BB for <tls@ietfa.amsl.com>; Mon, 15 Oct 2018 18:45:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eo1u3RT7INIh for <tls@ietfa.amsl.com>; Mon, 15 Oct 2018 18:45:33 -0700 (PDT)
Received: from mail-it1-f175.google.com (mail-it1-f175.google.com [209.85.166.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA731127333 for <tls@ietf.org>; Mon, 15 Oct 2018 18:45:33 -0700 (PDT)
Received: by mail-it1-f175.google.com with SMTP id 74-v6so31286491itw.1 for <tls@ietf.org>; Mon, 15 Oct 2018 18:45:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=iuxh+bshbhx5c64SJWm365PjqWlx3Wg00cPBuzTlJAM=; b=lRg6TzNshdLJYmsIUhWk4w/F/3FS4g+lpUE3xcYQL+MrbDoGIyO2O/UXXzAZ4KZWs+ uM0N1jW0MvDQ5kGsgIHCZ03KbFSgx0xq0sDLMgBb3mCZesA1LIq+Xd6W9IkBthPDQraw fg03JDw6gbYn2zLershkQbDW/pZTmThqlDUSLfL4G8t56czKLo8wYxJ3bIacxrYdXQ8M lO94Bal1+MVONDYNU3EafNNy8uuX+BRzuT4p19BPR3sfAMS86DOJMV4CU4Jm5BvvfIAG mScaA6JL0226WpU1ypnh92ICyma3MNRNhnrF1DBtIIm4uhUa9T1bLCSVJChicV8TlvN+ H0OQ==
X-Gm-Message-State: ABuFfogOsoXieugs+4gs0C7Fib8YeD8gHbtRhnWtE/ZR8D+R7hzh+43O AHYla3EAG5ZvwhIyWregnG2+43GFjBk=
X-Google-Smtp-Source: ACcGV63IIEjt7nqnaDsgIkSPWEjew3lUxpz8wlC7hh8lWMd2gK3co7T+poRWujyFuakjim0Ow2dXZA==
X-Received: by 2002:a24:7305:: with SMTP id y5-v6mr16480555itb.107.1539654332583; Mon, 15 Oct 2018 18:45:32 -0700 (PDT)
Received: from mail-it1-f171.google.com (mail-it1-f171.google.com. [209.85.166.171]) by smtp.gmail.com with ESMTPSA id y23-v6sm16582344itc.0.2018.10.15.18.45.32 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Oct 2018 18:45:32 -0700 (PDT)
Received: by mail-it1-f171.google.com with SMTP id q70-v6so31286925itb.3 for <tls@ietf.org>; Mon, 15 Oct 2018 18:45:32 -0700 (PDT)
X-Received: by 2002:a24:9302:: with SMTP id y2-v6mr14158542itd.49.1539654331736; Mon, 15 Oct 2018 18:45:31 -0700 (PDT)
MIME-Version: 1.0
References: <90e2851e-6469-226c-b2bd-63efebdfd796@bartschnet.de> <9700FD81-5DDF-4A14-B740-1216A749510D@dukhovni.org>
In-Reply-To: <9700FD81-5DDF-4A14-B740-1216A749510D@dukhovni.org>
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
Date: Mon, 15 Oct 2018 21:44:10 -0400
X-Gmail-Original-Message-ID: <CAErg=HGiOMYnFFpkd1NKZP6hcTuSdEEOCdGKQZBp5oNP=CkNOQ@mail.gmail.com>
Message-ID: <CAErg=HGiOMYnFFpkd1NKZP6hcTuSdEEOCdGKQZBp5oNP=CkNOQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000852a3c05784eb59d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BRZW9J2QUT27Mmj-lYvDYKy6rfM>
Subject: Re: [TLS] Make DANE-TLS (RFC 6698) mandatory for TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 01:45:35 -0000

On Mon, Oct 15, 2018 at 4:50 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> Though I am generally an advocate for DANE, and have done much work to
> further its adoption, this is not a realistic proposal.  DANE adoption
> in TLS will be incremental and will not be accomplished via a mandate.
>
> > On Oct 15, 2018, at 4:20 PM, Rene 'Renne' Bartsch, B.Sc. Informatics
> <ietf=40bartschnet.de@dmarc.ietf.org> wrote:
> >
> > TLS is prone to Man-In-The-Middle attacks with unjustly obtained
> intermediate certificates (e.g. firewall appliances).
> > The DNSSEC KSK-rollover worked like a charm.
> >
> > So I suggest to make DANE-TLS mandatory for TLS to prevent
> Man-In-The-Middle attacks with unjustly obtained intermediate certificates.
>

I think there's another criticism to be leveled at this proposal, and it's
suitability for this WG - the motivation stated (firewall appliances) is a
question about local policy. I admit my own ignorance here, in that I'm not
sure how https://tools.ietf.org/html/draft-nottingham-for-the-users has
been progressing as a comparable alternative to the HTML Priority of
Constituencies. However, as engineers, we need to recognize that no matter
what is memorialized by the IETF, if you have control over the machine - as
these enterprises inevitably do to install their firewall appliance - all
bets are off. We should not pretend we will prevent that, nor should we
increase costs for the ecosystem in pursuit of that effort.

v2.23.0 | Report a Bug | By Email