IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Nico Williams <nico@cryptonector.com> Thu, 05 April 2018 02:50 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3A45124319 for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 19:50:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yf8XYv2Tw68Q for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 19:50:53 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B21FE127077 for <tls@ietf.org>; Wed, 4 Apr 2018 19:50:53 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 45884A00400F; Wed, 4 Apr 2018 19:50:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=T/gd0+IfuecuNb qRN+8uUECGZBc=; b=Au4NthIbpr+s2vqzKW43/kTeuLLHDszxYwQI7c/95zfaGA KUNd5q5IRzBXrfPTvE8P8U5g9qI2wRgBZA7JyFu4Uf3IYZP4BPmEkRWBt8ExyI/p oR1w0yZxCEkZFgJBw/5153esC7A/rm6D+kPGeE3vlSrseZDqZb3zdEqHs4JKg=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id E2FC9A000B3C; Wed, 4 Apr 2018 19:50:52 -0700 (PDT)
Date: Wed, 04 Apr 2018 21:34:57 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: TLS WG <tls@ietf.org>
Message-ID: <20180405023456.GK25259@localhost>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <EDB0F480-1272-4364-9A3D-23F9E1A02141@dukhovni.org> <CABkgnnWBdp=KtmBVDcrR9-5tdVPfhWG7pWR0FE57H=iWS37dWw@mail.gmail.com> <C52564E1-ABCD-4E1A-8517-19743BD2180B@dukhovni.org> <CABcZeBMcvtQ6Ko-2Rmoq3BSVBOqdQwJ65vVrPK0cpSJ9nQCS3w@mail.gmail.com> <20180405022007.GG25259@localhost> <CABcZeBMGdXPF9if8Z_Gnc5MoOrZAOPEV2K3i5Bd_ewC6fdxOEg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBMGdXPF9if8Z_Gnc5MoOrZAOPEV2K3i5Bd_ewC6fdxOEg@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CtYtfpw4595I903hu78MqOs9o3U>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 02:50:56 -0000

On Wed, Apr 04, 2018 at 07:44:53PM -0700, Eric Rescorla wrote:
> On Wed, Apr 4, 2018 at 7:20 PM, Nico Williams <nico@cryptonector.com> wrote:
> 
> > On Wed, Apr 04, 2018 at 07:22:38PM -0700, Eric Rescorla wrote:
> > > I don't think that this comparison is particularly apt.The
> > > representation in HSTS is simply "I support HSTS". The representation
> > > in HPKP is "I will use either consistent keying material *or* a
> > > consistent set of CAs". The representation here is "I will continue to
> > > have DNSSEC-signed DANE records". That is a significantly more risky
> > > proposition than continuing to support TLS (and I'm ignoring the risk
> > > of hijacking attacks that people were concerned with with HPKP), and
> > > so this seems rather more like HPKP to me.
> >
> > Without a TTL (with zero meaning "clear the pin to DANE") this extension
> > can only really be used with mandatory-to-use-with-DANE protocols, where
> > the commitment to "continue to have DNSSEC-signed DANE records" is
> > implied.
> >
> 
> This simply isn't true, for the reasons Richard Barnes indicated in his
> response
> to you.

See my response to him.  For any non-mandatory use of this extension,
without the pinning semantics there is a glaring downgrade attack.

> HPKP had a TTL and yet as a practical matter, people found it very
> problematic.

I can see why: you have to commit to one certificate in the chain not
changing.  Whereas here you only have to commit to continue to publish
TLSA RRs (and signing them and your zone).  This is a big difference.

> And, of course, if you're concerned with hijacking attacks, the
> hijacker will just advertise a very long TTL.

But it's a TOFU-ish thing.  The server impersonator has to have the
right timing or else be detected -- that's very risky for them, and a
deterrent to even trying.  It's not fool-proof, but it's not nothing
either.

Nico
--

v2.23.0 | Report a Bug | By Email