Re: [TLS] Enforcing Protocol Invariants

Viktor Dukhovni <> Sat, 17 November 2018 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B020C12872C for <>; Sat, 17 Nov 2018 12:45:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sABbFZyXZ0sL for <>; Sat, 17 Nov 2018 12:45:44 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B641F126BED for <>; Sat, 17 Nov 2018 12:45:44 -0800 (PST)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id CE569326535 for <>; Sat, 17 Nov 2018 15:45:42 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Sat, 17 Nov 2018 15:45:41 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: "<>" <>
Message-Id: <>
References: <> <>
To: "<>" <>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <>
Subject: Re: [TLS] Enforcing Protocol Invariants
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 17 Nov 2018 20:45:47 -0000

> On Nov 17, 2018, at 6:07 AM, Lanlan Pan <> wrote:
> And TLS's distribute certificate exchange maybe better than DNSSEC's centralized trust anchor.

In principle, yes, when one carefully selects just the appropriate
trust anchor(s) for a given task.  Some applications do use specific
trust-anchors (internal corporate CAs) at least some of the time.

[ FWIW, TLS is trust-model agnostic, it is the WebPKI that uses the
  usual panoply of CAs. ]

In practice, one generally uses the Mozilla or similar trust bundle,
and so it is still centralized, except that now the attacker has a
choice of multiple central authorities to compromise.

So most of the time the WebPKI is weaker, but you sometimes have
a choice when you can limit the set of peers with which you need
to communicate.

With DNSSEC validating resolvers can also configure trust-anchors
at any point in the tree, which also allows for internal corporate
trust-anchors, and if some TLD or similar followed the RFC5011 key
rollover process used at the root, one could also track the TLD's
keys independently of the delegation from ICANN, but AFAIK this is
not presently a common TLD practice.