[TLS] dnssec_chain pinning issues and discussion
Christopher Wood <christopherwood07@gmail.com> Wed, 24 October 2018 02:19 UTC
Return-Path: <christopherwood07@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A42A0130E41 for <tls@ietfa.amsl.com>; Tue, 23 Oct 2018 19:19:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jhLu6WqtosB8 for <tls@ietfa.amsl.com>; Tue, 23 Oct 2018 19:19:05 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72C4C130DD2 for <tls@ietf.org>; Tue, 23 Oct 2018 19:19:05 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id j20so972465vso.8 for <tls@ietf.org>; Tue, 23 Oct 2018 19:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=abpZQqnyx6qPDlj0i5wgB1Yxo1i9WVd4LXSrq1OdDLs=; b=DxZKXaETFJxIrzBQtZFGyQ3JOrGQnRerz8lx7ZVAHUE4CjGD2XtTeWV87moO5qV3iW TecHxtYWoRzLqUR2w3RXzRpTszMBzsKLXS7SsfDr5TsIESWW+njX1N5mrolhP/VkJzzI CzaH2nJm6jdfwg/MuEIt22NNgfhbuvEJ32r39KgekXz/94rqdu8qbtBiSqkD7STBK0KN mhMAdbCJuFZodZpQmQ4WwZjC4NDC0IMAl6AvBn6nKVjw7g25inMkhgLk2MkIZDeTlceA bsYiE8t0gtqFUKGGjIyJ+gSMHLmXU2t9N7z3gBb49xT14KI2eao/a1Oygk2kEfzH6w9v g3cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=abpZQqnyx6qPDlj0i5wgB1Yxo1i9WVd4LXSrq1OdDLs=; b=t3feknubUpuHoO9cJE+/4VT5CS816Mzz5zXX1u+2iMjIprK4HCc4p/IMpnn8LZ26cc WI5krnW0Ge90aExUo15mrCfT4YLRpRkeG2cNfTwxxBG6Mw5oMskm2lcaW4Gua5bQQjeM XR6fmNkTqpRYEwG81C3Gw1YDZtbXog2UZ90RhcItUtFcV+KRxS2BP4Fh2uCP9arQuBS2 sze3lqH0BPAm28kq8EFgclvT+B4gZ3AEHvDrhk88KagRs7P3AKlAE0J0oDMJ7zvyl80h o4d23rx5/4hlswcVkEjuDA74E9knOoJ/0GVy1cBWsQcmHBsqxyQSyp5noAjQRszVpRtD /mCw==
X-Gm-Message-State: AGRZ1gKljEsbu88QCZT5w/C1Wfe2Ux9P+xo+DlHuRq/fQbBWExuwy7pj u3m198DydQfVs08SlYSr2hqaY8mG09lS1lg1NFEEePMY
X-Google-Smtp-Source: AJdET5eukywoWmXlBN+V4ZRkrEHLS2CPQKwI+UYnIJimpUa8sS9kn5E2IlRoXc+k8Nn8uA+iaLO4u/J027f6f+6TVi8=
X-Received: by 2002:a67:f096:: with SMTP id i22mr318800vsl.174.1540347544028; Tue, 23 Oct 2018 19:19:04 -0700 (PDT)
MIME-Version: 1.0
From: Christopher Wood <christopherwood07@gmail.com>
Date: Tue, 23 Oct 2018 19:18:47 -0700
Message-ID: <CAO8oSXmGRRpe6frLOkkqjth8BMhTBuWzk+vjqj1UK8vGyb+feg@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/D9oAaNuCcbVqyoKOwCM3mAmE9S4>
Subject: [TLS] dnssec_chain pinning issues and discussion
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 02:19:06 -0000
Thanks to those who contributed to the discussion on this topic over the past two weeks. It led to useful insights and clarity around the problem statement, desired use cases, and current state of this draft. (Specifically, Viktor’s summary of the problem statement in [1] was quite helpful and, absent objections, would probably make a nice PR for which we can gauge consensus.) To summarize some of the long discussions, among the primary use cases raised over the lifetime of this draft, we have the following: - Increase availability of DANE records for clients. - Provide an alternative to WebPKI-based server authentication. - Gain operational experience with DANE on clients and servers. - Increase connectivity to DANE-only clients and servers. (This is not a realistic use case in the immediate future.) These are meant to apply to both greenfield and incremental deployment use cases. If there are others, please share them with the list. If anyone feels as though we should not target the incremental deployment use case and instead focus strictly on greenfield applications, or if the current use cases as written are under specified or unclear, please say so, and say why. Minimally, for broad use cases, it seems necessary to have some way to prevent attackers from stripping the additional protection communicated by this extension from the TLS server to the TLS client. Extension pinning of some type would seem to address this particular issue. The text from Paul and Viktor [2] shared before the interim is one specific proposal for this pinning. In the context of this proposal, the following issues have arisen: 1. Servers may make mistakes which lead to connection issues, i.e., it’s a footgun. (Note: The chance of this happening while the extension is not yet universally supported is low.) 2. Malicious pins can be set by an adversary who can modify the victim's DNSSEC records. This can force the TLS client to use the extension for a long time, even after correcting the DNSSEC compromise. 3. Some sort of in-band (or perhaps out-of-band) alert may be required for pinning to function safely and correctly. 4. Non-universal deployment of the extension within a TLS farm (operator) may make removing the pin difficult since any particular server may not have an implementation of the extension. If you feel any of these are non-issues, please say so, and say why. If you feel any of these issues are incorrect, please say so, and say why. The chairs would like to have all issues with the *current* pinning proposal aired and discussed before Bangkok. That will allow us to asses the proposal and whether or not it satisfies the desired use cases. Note that this list may not be exhaustive. Thus, if there are other omitted issues that have been raised, please share them with the list for discussion. Thanks, Chris, Joe, and Sean [1] https://mailarchive.ietf.org/arch/msg/tls/OWxALokRtxNcaFdPyNiHTOt_wjQ [2] https://github.com/tlswg/dnssec-chain-extension/compare/0664d5a608bc2cd82967370160fd4b837dba8fab...vdukhovni:for-interim
- [TLS] dnssec_chain pinning issues and discussion Christopher Wood