IETF Logo Mail Archive

Re: [TLS] New Version Notification for draft-wouters-tls-oob-pubkey-01.txt (fwd)

Marsh Ray <marsh@extendedsubset.com> Thu, 17 November 2011 17:24 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0402A21F9A55 for <tls@ietfa.amsl.com>; Thu, 17 Nov 2011 09:24:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DuRJ-T7AOLMd for <tls@ietfa.amsl.com>; Thu, 17 Nov 2011 09:24:15 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by ietfa.amsl.com (Postfix) with ESMTP id 1F37621F97C6 for <tls@ietf.org>; Thu, 17 Nov 2011 09:24:15 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1RR5h8-000I2d-Jl; Thu, 17 Nov 2011 17:24:14 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id C230D63C2; Thu, 17 Nov 2011 17:24:12 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18ZFOG7GxqZsI5FkP/7eQ0/hHM6NRZhyQg=
Message-ID: <4EC5433C.6070202@extendedsubset.com>
Date: Thu, 17 Nov 2011 11:24:12 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
MIME-Version: 1.0
To: Paul Wouters <paul@xelerance.com>
References: <alpine.DEB.2.00.1110311914480.17385@mail.xelerance.com> <8766068B-882E-41F9-B908-49088E451F03@nic.cz> <alpine.DEB.2.00.1111171111410.19177@mail.xelerance.com>
In-Reply-To: <alpine.DEB.2.00.1111171111410.19177@mail.xelerance.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] New Version Notification for draft-wouters-tls-oob-pubkey-01.txt (fwd)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 17:24:16 -0000

Question. This item:
> o  A TLS client has connected to the TLS server before and has cached
> the TLS server certificate chain or TLS server public key for re-use

Is that behavior endorsed by current RFCs, or is server cert caching a
new optimization being enabled by this draft (perhaps in conjunction
with HSTS pinning)?

Seems like that topic could merit a whole nother RFC of its own. Maybe
reference that or drop it from here?

Clearly this document "specifies a new TLS certificate type for
exchanging raw public keys or their fingerprints in TLS and DTLS". But I
guess the deeper question is to what extent this draft intends to
endorse ad-hoc approaches to TLS authentication when it says "By
specifying a minimum resource for raw public key exchange,
implementations can use alternative authentication methods."

In the Security Considerations there is the statement "A client using
this cert_type needs to be confident in the authenticity of the public
key it is using." This is obviously correct, but is it worded strongly
enough?

For example, it's no secret that a great many non-browser TLS client
applications do not bother with cert validation or they fail to check
that the cert matches the host they requested. Often they allow plain IP
addresses in their configuration. Today we can say this is against
various RFCs, but if this draft were accepted perhaps such clients would
be able to simply request cert type RawPublicKey and say "yep, looks
good enough for me therefore I am RFC-compliant!"

This is an ongoing discussion that I encounter among users and app
developers on a regular basis. For example:
> http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2011-02/msg00650.html


On 11/17/2011 10:20 AM, Paul Wouters wrote:
>
> Though I see your point, I cannot really see any case where a TLS
> implementation would obtain a public key from DNS without any PKIX
> information and without any DNSSEC protection. In this case there is
>  not even the PKIX fallback information to go on, so regardless of
> what DANE decides to do for "validatable PKIX", a TLS client MUST
> NOT use a TLSA record containing just a public key if it did not
> authenticate that data with DNSSEC.
>
> Perhaps it can be reworded?

Perhaps you could use a different example such as:

* Certs obtained via LDAP (e.g. http://tools.ietf.org/html/rfc4523 )

* IPsec using X.509 certs http://tools.ietf.org/html/rfc4301

* Established SSH RSA keys (if this is actually well-defined)

Just some ideas.


> But I think it is a valid security concern to point out people
> should not just pluck spoofable TLSA records from DNS and build a TLS
> trust relationship based on that. Even if DANE decided to always
> mandata DNSSEC, I think it is a good reminder to make that explicit
> in the Security Considerations here?

I agree that it's worth repeating on principle, but I don't think it's
necessary to include more of an explanation of the full PKI security
model. Just a reference should do.

- Marsh

v2.23.0 | Report a Bug | By Email