Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps

Viktor Dukhovni <> Tue, 16 October 2018 23:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 21AF5130E37 for <>; Tue, 16 Oct 2018 16:29:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yzpE3oxOaqtb for <>; Tue, 16 Oct 2018 16:29:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BCE3D130E5D for <>; Tue, 16 Oct 2018 16:29:22 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id DCA742C069 for <>; Tue, 16 Oct 2018 19:29:20 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Tue, 16 Oct 2018 19:29:19 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: "<>" <>
Message-Id: <>
References: <> <>
To: "<>" <>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <>
Subject: Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Oct 2018 23:29:25 -0000

> On Oct 16, 2018, at 6:16 PM, Daniel Kahn Gillmor <> wrote:
> Just a quick summary of my understanding:
> * The existence of a pin only requires that the service operator
>   maintain the ability to respond to this extension in the future -- it
>   doesn't require specific keys, or even the use of DANE itself.  It is
>   not nearly as large a risk as HPKP's pins were.
> * Pinning fears are based on two scenarios: (a) footgun, where the
>   service operator makes a mistake, or (b) a malicious pin is set by an
>   adversary who has owned your domain.  (a) is overwhelmingly more
>   common, and is what we should focus on.  In the (a) scenario, the
>   admin has already deployed the extension, so there is no risk.  The
>   (b) scenario only matters if a service cannot deploy the extension as
>   intended, which is more of a chicken/egg problem of deployment and
>   implementation.  I don't think that's a huge risk but if we really
>   want to try to cover it, i think there are ways that we could
>   minimize it as well.

Thanks, that summary looks quite accurate.

> That said, it sounds like negotiating the details of how to do this
> pinning is the main blocker, and i'm sick of this proposal being blocked
> (because i want it for "greenfield" implementations last year).

To be fair, the present delays date back to just March/April.  Until
that time the draft was blocking waiting for TLS 1.3 to be finished
first.  So it has only been a few months.

> So one way forward would be to complete this extension without the
> pinning (explicitly acknowledging that it will not be useful for
> non-greenfield implementations on its own) and get it out the door.
> Then we can subsequently create a new extension that is only a
> "how-to-pin-dnssec-chain-extension".

At this point, I think that would be a mistake. The draft still needs
much work.  Though pinning has been a blocker, it has many other smaller
defects that have to be addressed, now that it is back for revision.

The draft fails to specify correct semantics for SNI, and leaves out
the port number from the client extension, but it is needed.

The draft fails to explain the server's responsibility to decrement
RRset TTLs if the server is providing previous cached data.

The draft fails to describe how virtual hosting should be handled.
The RRset ordering is unnecessary, and complicates the exposition.

Bottom line, there isn't a document that can (or at least should)
land back in the IESG queue with minimal changes.  It needs a bunch
of changes, and so we should really also resolve the pinning issue,
it is NOT that difficult.  It has been a series of misperceptions
all along.

> Alternately, if people could agree on a simple and clear pinning scheme
> that we could get out the door all in one piece, i'd be happy with that
> too.

The proposed extension lifetime field is all it takes, there is no
feasibility or need for a testing mode (because there's no way to
authenticate such a mode, or else we again lose downgrade protection,
and the analogy with HTTP STS is imperfect, and does not carry over).

There's also no need for "reporting URIs", failure signaling is
much better done in-band, via a suitable TLS alert.

All that's left to iron out is the maximum duration for the pin
lifetime, and whether we need to gradually scale it up as a function
of RFC lifetime, giving sites more protection from hijack DoS (if
that's really considered important enough to complicate the design).