Re: [TLS] draft-shore-tls-dnssec-chain-extension-00

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 19 July 2015 18:18 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B2121B2B7F for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 11:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzrpqQu1DNhB for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 11:18:22 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 9BDFA1B2B7E for <tls@ietf.org>; Sun, 19 Jul 2015 11:18:22 -0700 (PDT)
Received: from fifthhorseman.net (dhcp-a29a.meeting.ietf.org [31.133.162.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 4E891F984; Sun, 19 Jul 2015 14:18:21 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id E8C29202E8; Sun, 19 Jul 2015 20:18:18 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>, tls@ietf.org
In-Reply-To: <20150701035820.GJ14121@mournblade.imrryr.org>
References: <55922571.8080605@nomountain.net> <alpine.LFD.2.11.1506302319510.29441@bofh.nohats.ca> <CAHPuVdVc01v4EKM5A9OEQ2Y78b=zZeQjKHigP3NR5nAT=y7FwQ@mail.gmail.com> <20150701035820.GJ14121@mournblade.imrryr.org>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Sun, 19 Jul 2015 20:18:18 +0200
Message-ID: <87k2twm2ol.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/JNpJ6Oguv2kdPy-k-inHQUAXP_E>
Subject: Re: [TLS] draft-shore-tls-dnssec-chain-extension-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2015 18:18:24 -0000

Thanks for this draft, i'm definitely interested in seeing it push
forward.

On Wed 2015-07-01 05:58:20 +0200, Viktor Dukhovni wrote:
> Instead, there would need to be in various cases:
>
>     * A validated chain of CNAMEs (possibly synthesized via validated
>       DNAME RRs) leading from the client's requested SNI name to
>       a final TLSA base domain.  (0 or more CNAME/DNAME indirection
>       records and all the DNSKEY/DS/RRSIG records to validate
>       these).
>
>     * A validated chain of CNAMES from _port._proto.<base-domain> to
>       an actual validated TLSA RRset (and ...).
>
>     * The final TLSA RRset with all the requisite validation records.
>
>     * Also a potential change in the client's notion of the reference
>       identifier to match in certificates, to the final TLSA base domain.

Complicating this further, there could be a chain to an SRV or MX
record, which then needs to chain to the TLSA, in think (possibly with
CNAMEs in the mix).  This is potentially a pretty long chain.  also: how
does a multi-tenanted server know what SRV or MX chain to include in the
chain?

        --dkg