[TLS] Cert Enumeration and Key Assurance With DNSSEC

Phillip Hallam-Baker <hallam@gmail.com> Fri, 01 October 2010 15:28 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 6D2703A6AED; Fri, 1 Oct 2010 08:28:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.964
X-Spam-Status: No, score=-1.964 tagged_above=-999 required=5 tests=[AWL=-0.266, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id Yvr2-up3+c3A; Fri, 1 Oct 2010 08:28:48 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com []) by core3.amsl.com (Postfix) with ESMTP id A73453A6BE6; Fri, 1 Oct 2010 08:28:47 -0700 (PDT)
Received: by wyi11 with SMTP id 11so3573414wyi.31 for <multiple recipients>; Fri, 01 Oct 2010 08:29:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:cc:content-type; bh=wloNndc5fE2e4RtCUQCjnoCy+YP7T63wIiKSnSYLhTo=; b=NExISL7+64tvOClnix++OMZN8zgy0kiSZCIl7fbX0idLone+zhFZcIYlyeUFG79kRO Za+7qZVqkvLbvsedkOGdB5Py3BkcHcM91rrIxmH2y0ksbj8+xKsiwqwYLpG9Fh8Odq3d mbAFfjeQCUVRxLoPP0h0U3j3OZxLcJhgR8xXM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=rPoA9R0hYzobXvTJ5rmmi3DyjIBdARhOEpFDmojwsw4XYWxFRaFp3vc6DaqvFigS9L WIOvMODqDLs9ivlRKosEQ+BPnhfDTrzIyM5Kgy0NQcBmzV0jQ9XiUNz/o+pE2uFsOfll gondrahse1RprJh/iExG6ZTe6fkQRUFYEUP5k=
MIME-Version: 1.0
Received: by with SMTP id 51mr2254523wex.72.1285946975359; Fri, 01 Oct 2010 08:29:35 -0700 (PDT)
Received: by with HTTP; Fri, 1 Oct 2010 08:29:35 -0700 (PDT)
Date: Fri, 1 Oct 2010 11:29:35 -0400
Message-ID: <AANLkTinRWJZr7huuG+Ovh3sCCUnVZAghggAzmq7g6ERx@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej.sury@nic.cz>
Content-Type: multipart/alternative; boundary=0016364c7bd1aabebf04918fdc0a
Cc: pkix@ietf.org, dnsop@ietf.org, tls@ietf.org, saag@ietf.org
Subject: [TLS] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 15:28:50 -0000

For the past month I have been participating in the KEYASSURE discussions.

One aspect of those discussions that was not made clear in the original
notice sent out is that the group is not only considering key assurance, the
proposals made are also intended to have security policy semantics.

This was not apparent to me from reading the list announcement, the initial
proposed charter or the Internet drafts. I have asked the organizers of the
group to clarify the matter in the wider IETF community but they have not
done so.

In particular I am very concerned about the particular approach being taken
to security policy. What the proposers are attempting to do is to create a
mechanism that allows a site that only uses one particular high assurance CA
to 'protect' themselves against SSL certificates being issued by low
assurance CAs.

As such, this is an objective I approve of and is one that I would like to
see supported in a generalized security policy. It should be possible for a
site to make security policy statements of the form 'all valid PKIX certs
for example.com have cert X in the validation path'.

What I object to is the approach being taken which is to use DNSSEC to
replace PKIX certificate validation entirely.

Now the proponents are trying to downplay this by saying that 'all' they are
doing is to tell people to 'ignore' PKIX validation. But that approach
really offends my sense of layering.

Worse still, the proponents refuse to allow any method of shutting this
system off. So if I have a site where I want to use DNSSEC validated
certificates on the mail server, deployment is going to impact my Web

Specifically the proposal amounts to using the DNS CERT record to publish a
fingerprint of all the certificates permitted for use with TLS at a specific

example.com CERT TLSFP 0 0 <digest cert 1>
example.com CERT TLSFP 0 0 <digest cert 2>

It is proposed to replace current TLS certificate processing semantics with
the following:

1) Query for CERT record at example.com
2) If no CERT record with TLSFP certificate type exists then perform normal
PKIX validation and return that result
3) Otherwise attempt to match the TLS end entity certificate with one of the
fingerprints specified in the published TLSFP RRs
4) If a match is found return VALID, otherwise return INVALID

Note here that if there is a TLSFP RR that it takes precedence over PKIX
processing rules.

There should of course be DNSSEC validation performed in that process as
well, but the authors have not explained how that is meant to work in the
context of their proposal so I left it out.

The defenses made for this approach are of the form 'you have to wear big
pants to play this game'. In other words if people are going to administer
these systems and not be burned they are going to have to understand what
they are doing. I do not consider this a responsible approach to protocol

What I would prefer is to have systems that do not need to be administered
by people at all. That is not possible when the approach has hidden side
effects that cannot be anticipated by scripts.

I am very much committed to the idea of doing security policy. But this is
not an approach I can support. Any policy mechanism has to be orthogonal to
the key validation strategy in my view. I should be able to use any DNS
security policy mechanism that the IETF endorses with PKIX certificate
processing semantics.

I have proposed an alternative approach in


This does not currently contain a mechanism to express trust restrictions
but is designed to be extensible to support such. When I proposed ESRV I was
unaware that the KEYASSURE proposal was intended to have a security policy
aspect at all. It is still not made explicit in their draft.

Using the revised version of ESRV I am currently writing, a security policy
of the form 'always use TLS with any protocol at example.com' would have the

example.com ESRV "tls=required"

A security policy that was specific to http would be expressed as:

example.com ESRV "prefix=_http._tcp"
_http._tcp.example.com ESRV "tls=required"


example.com ESRV "prefix=*"
_http._tcp.example.com ESRV "tls=required"

The reason for this change from the -00 version is that this approach
supports CNAMEs.

The reason that I started with the requirement to use SSL is that security
policy relating to trust criteria is meaningless until you have a statement
that use of SSL is required.

I have no objection to doing security policy. But I do have a real objection
to an approach that negates PKIX semantics as the TLSFP approach does.

-------- Original Message --------
> Subject: New Non-WG Mailing List: keyassure -- Key Assurance With DNSSEC
> Date: Tue, 17 Aug 2010 11:36:02 -0700 (PDT)
> From: IETF Secretariat <ietf-secretariat@ietf.org>
> To: IETF Announcement list <ietf-announce@ietf.org>
> CC: keyassure@ietf.org, ondrej.sury@nic.cz, warren@kumari.net
> A new IETF non-working group email list has been created.
> List address: keyassure@ietf.org
> Archive:
> http://www.ietf.org/mail-archive/web/keyassure/current/maillist.html
> To subscribe: https://www.ietf.org/mailman/listinfo/keyassure
> Description: This list is for discussion relating to using
> DNSSEC-protected DNS queries to get greater assurance for keys and
> certificates that are passed in existing IETF protocols. The main idea is
> that a relying party can get additional information about a domain name to
> eliminate the need for using a certificate in a protocol, to eliminate the
> need for sending certificates in the protocol if they are optional, and/or
> to assure that the certificate given in a protocol is associated with the
> domain name used by the application. In all three cases, the application
> associates the key or key fingerprint securely retrieved from the DNS with
> the domain name that was used in the DNS query.
> For additional information, please contact the list administrators.
> --
>  Ondřej Surý
>  vedoucí výzkumu/Head of R&D department
>  -------------------------------------------
>  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
>  Americka 23, 120 00 Praha 2, Czech Republic
>  mailto:ondrej.sury@nic.cz    http://nic.cz/
>  tel:+420.222745110       fax:+420.222745112
>  -------------------------------------------
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag

Website: http://hallambaker.com/