[TLS] TLS interim meeting notes

Paul Wouters <paul@nohats.ca> Fri, 14 September 2018 19:00 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F1EF130FB8 for <tls@ietfa.amsl.com>; Fri, 14 Sep 2018 12:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2u8ZJ3eYu4C4 for <tls@ietfa.amsl.com>; Fri, 14 Sep 2018 12:00:18 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AF50130F93 for <tls@ietf.org>; Fri, 14 Sep 2018 12:00:17 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42BlFn3gwjzCvX for <tls@ietf.org>; Fri, 14 Sep 2018 21:00:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1536951613; bh=kJiYgwnPYjIWia7CfW/slvz82pNQ92lSNZhpYV18C5A=; h=Date:From:To:Subject; b=IMg3veJxjZdIHUabqXpgJFsu0xZeiZXV5s00413ysXIyx5A9DtFv238NXmP7y0Iwn 3iD1wdIMSSQjrfbka1FozKLbgtxPVD5ViOB1APlvJXKtxP2Mz/MaxJH2m9o3+4gqT8 X67ufl524Jg4yMFqaRigxfoLtG1B/TEz+yYBKTao=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id P1WsJTBnxNjK for <tls@ietf.org>; Fri, 14 Sep 2018 21:00:10 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <tls@ietf.org>; Fri, 14 Sep 2018 21:00:09 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id B08FD3797AC; Fri, 14 Sep 2018 15:00:08 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca B08FD3797AC
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A3811402E52D for <tls@ietf.org>; Fri, 14 Sep 2018 15:00:08 -0400 (EDT)
Date: Fri, 14 Sep 2018 15:00:08 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: tls@ietf.org
Message-ID: <alpine.LRH.2.21.1809141459210.18449@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ER25dkqv3lzxk4yE2F-1qbvDy9M>
Subject: [TLS] TLS interim meeting notes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2018 19:00:35 -0000


My rough notes of the meeting. All mistakes are mine, please speak up to the list if I got something wrong

2018-10-14 TLS interim meeting

problem statement
viktor: authors seemed focus on dprive but not scoped as such. Scope in document is DANE PKI.
         dprive can make extension mandatory.
ekr: doing DANE as alternative to x509/webpki been around forever. been failing for long time
      two purposes of DANE: assert keys without X.509 and restrict webpki. DNSSEC unreliable
      for clients. from browser vendor, we need to be able to distinguish between bad network
      and attack. we cannot hard fail ever.
      ekr: mainly to not need CA based certs ("tax")
viktor: with acme, the really only use case is DANE restrictive use case
richard: 1) incremental deployment, 2) downgradability
         baseline: same properties as DNSSEC over a clean wire
         1) dont understand incremental deployment issue.
ben: two incremental scenarios: 1) enable the use of DANE.. seems richard 2) use case is not wanted?
nico: Its my (server)'s choice of cert not TLS client.
viktor: its another road block
paul: just like selfsigned cert or bad_ca is a hard fail, dane failure can be a hard fail
       protocol shoudl allow hardfail so implementors can make a choice
       re: richard: is a downgrade attack too and additional roadblock
ekr: let me clarify hard fail. if we do dnssec and get a malformed A record, we would ignore.
      bogus seldsigned cert, we fall back to dialog for user.
      extra hardfail if server hsts, we wont allow override.
      not viable for generic client to act on dnssec failures.
nico/viktor: an operator should have the choice to be on the webpki, dane or both.
              pinning of extension gets us the last mile problem solved.
viktor: can't tell operators with a downgrade attack they get no benefits for years.
nico: that's why the extension pinning is so important. To get immediate benefit for cost
nico: in real life, it will be the same key/cert whether it is webpki or dane.
viktor/nico: give operators choice, make no value judgement about webpki or dane
richard: you cannot expect this tls extension to become mandatory
paul: TLSA is the authoritatve source. the tls extension is a temporary solution to fix the last mile
ekr: SNI example.... coordinated actions in community. that is how things are done.
viktor: SNI doesnt cost. Deploying DANE has a cost. if the new signal is downgradable it makes no sense
         to pay the cost. You dont pay anything to use SNI.
richard:  if we want restrictive DANE, we need pinning.
paul: yes, it is the main use case in my opinion.

ben: strawman proposal:   what if client signals server 'i am willing to do dnssec, or surely doing dnssec
      and 'i already have records' or 'i need records'
viktor: can we decide the restrictive use case on this call?
ben: not sure if we can make further process on this call. we need consensus
nico: real question is, should we say "no one can get it". The question is not what we want.
       the question is what are we letting the operators do?
richard: some want restrictive usage for restrictive usage. some want additive usage.[ did not understand
          what richard said here]
ekr: Q is not what the server operators want. but what the internet wants. comes back to cost / benefit
       analyses of pinning. 
nico: cost of changing deployment is free. i can change it whenever i want.
viktor: HPKP is people shooting themselves in the foot, not really real attackers.
         Here [with extension pinning] you cannot shoot yourself in the foot. you can immediate fix anything
         [implies ekr's cost is not really there, other then some imaginary near zero risk cases]
richard: even in waterdown pinning, if my dnssec blows up there is breaking risk
paul: 
ekr: i think there was bricking but also hijacking with HPKP. user's at risk, should we give them the option?
viktor: there is no real longterm risk, just a very small narrow if-chain of events that could go wrong
ben: pinning semantics is an open question. HPKP lesson is about why it was unexpected and then pulled as
      failure, not the specific technical issues within that proposal.
nico: there is 1 pinning proposal and has 1 analyses. it is fundamentally different.
ben: there is no consensus on the approach
viktor: there is no concensus on whether we can have pinning  [?]
ekr: pinning also depends on being able to create the tls-dnssec-chain to get usable data for the extension
ekr: new failure mode is bad extension data 
nico: but you can fix instantly. there is no pinning time period of failure in the future
ekr: important to know commitment with pin. I dont say it is catastrophic
ekr: someone maybe ben can write up neutral description . then re-discuss in WG
nico: i wish we could agree that TLSA is always restrictive. would be nice to agree on that fact as well
nico: it would be nice to know the specific objections to pinning, like risk to the internet, or two bytes,
       or what it is.
ekr: I am happy to answer that. [didnt get what he said]
nico: would be good to talk about the pinning risk scenario and likeliness/impact
viktor: think we have more work to do as focus group do an interim before going back to the WG
ben: going to be more discussion. logistically, we have to see.
ekr: lets see. this was productive, lets see how it goes
ben: it is one big diff, can you break it up
viktor: it is 24 commits
ben: ok