Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

[Paul Wouters <paul@nohats.ca>]

On Wed, 18 Apr 2018, Joseph Salowey wrote:

This is a combined response of Viktor, Nico and Paul.

>  Concerns have been raised about the trade-offs associated with pinning and I
>  do not think we currently have consensus to add
>  pinning.  While I think it may be possible to come to consensus on pinning I
>  think it may take some time.  I believe we can
>  quickly get consensus for the following approach:

A slight correction here. The call that there is no consensus on pinning
is not entirely correct. The discussion showed a majority of people in
favour of some kind of pinning, but with most people being agreeable that
this can be in its own document and not hold up this document further. A
pinning document is inevitably coming.

>  1. Scope the document to the assertive use cases

This means actually leaving out what some of us think are the most
important use case - an alternative for webpki. While we are okay
to reduce the scope of this document, it seems logical that such
decision comes with some guarantees to allow the other use cases.
Which gets us back to a new document about pinning (see below)

>  2. Explicitly allow (but do not require) DoE be included

The document does not currently allow the extension to be empty. So if
there is no TLSA record and the extension would be present, it therefore
can only contain a DoE chain. So what do you mean with item 2? Possibly
you mean to say "if there is no TLSA record, the extension can be omited
or the extension can be included with a DoE chain" ? That would be okay
with us.

>  3. Remove current text about pinning

That is fine, but one caveat below.

>  4. Re-submit the document for publication and start work on a separate
>  extension that supports pinning

While we agree we can move pinning to a separate document, it makes much
less sense for this to become an additional fully independent TLS
extension, especially since the pinning will depend on DNSSEC properties
only delivered by the TLS-DNSSEC extension. So as we suggested before, the
best solution therefore would be to define this two byte pin in the
current document, and be defined as "ignore completely unless you
implement this other RFC". That is,

      The proposed 16-byte "extension support lifetime" field will:

        * Have 0 as the only value defined in the present draft
        * Servers that implement only the present draft SHALL send 0.
        * Clients that implement only the present draft SHALL treat
          any value received as though it were 0.
        * A zero "extension support lifetime" field prohibits the
          client from unilaterally mandating the extension based
          on prior observation of its presence (pinning).

This a win-win for both opponents and proponents of pinning. And not
only that, it will allow us to put the pinning inside the extension
it relates to.

Additionally, with no pin set to 0 in the current document, and no
mentioning of pinning since the consensus agrees to remove it that,
client implementations will not be told to not pin, and will start doing
something like TOFU like pinning. It would actually be better to specify
this zero pin to prevent this from happening.

If you take it as a given that we will write this document, then it only
makes logical sense to already reserve these two bytes in the current
document, even it if states "must be 0". Our document will Update:
this document to describe the pinning in detail.

Nico, Paul and Viktor