IETF Logo Mail Archive

Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 02 December 2022 09:36 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F341C14CF0E for <tls@ietfa.amsl.com>; Fri, 2 Dec 2022 01:36:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VrbqQ6HJfdy for <tls@ietfa.amsl.com>; Fri, 2 Dec 2022 01:36:30 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB997C14CF04 for <tls@ietf.org>; Fri, 2 Dec 2022 01:36:29 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 0459C118D31; Fri, 2 Dec 2022 04:36:29 -0500 (EST)
Date: Fri, 02 Dec 2022 04:36:28 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls <tls@ietf.org>
Message-ID: <Y4nHHNrbg4bBvaa+@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <4yMjmvm9CHgt_ZRCbd4naTd5XKOt6dr5IKgY6l6-qgtFBL7aPnHSuPdW_Vz18GM-BRXKLE98BM96N_OtPXMQt7yde0gubFY5SZA-eI9a_Jo=@olliejc.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4yMjmvm9CHgt_ZRCbd4naTd5XKOt6dr5IKgY6l6-qgtFBL7aPnHSuPdW_Vz18GM-BRXKLE98BM96N_OtPXMQt7yde0gubFY5SZA-eI9a_Jo=@olliejc.uk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NMfHnn_79CJqopO_2qORwqO3x7c>
Subject: Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 09:36:32 -0000

On Fri, Dec 02, 2022 at 06:40:25AM +0000, Ollie wrote:
> > There's nothing to be gained by publishing SCTs in self-issued DANE-EE
> > validated certificates. Are you proposing to make SCTs mandatory in
> > DANE? Which user agents would insist on such SCTs and why? If not,
> > what problem would optionally including them solve?
> 
> Yes, primarily for browser user agents.  See below on use
> cases/problems.

In that case, why not just require the PKIX-EE and PKIX-TA usages, and
forgo "self-signed" certificates.  With PKIX-EE you still get to
explicitly identify a particular certificate in the TLSA records, but
it must now also follow all the WebPKI rules (including CT support if
applicable).

> > Note also that the "expiration" date of DANE-EE certificates is ignored,
> > the freshness of the key binding is attested via the TLSA record RRSIG,
> > rather than the dates in the certificate. The proposed 90-day limits on
> > "certificate lifetime" are antithetical to DANE-EE.
> 
> Noted and understood, although not sure I agree the certificate expiry
> should be ignored. What happens if I put a TLSA record for a CA
> certificate that then traditionally expires? Would user agents be
> expected to fall-back to using the RRSIG freshness?

A TLSA record for a "CA" certificate would be DANE-TA (usage 2) not
DANE-EE (usage 3), and in that case dates are not ignored in the issued
certificates.  Whether trust-anchors expire or not is not even explicit
in PKIX (a trust anchor is just a public key), and if the CA is matched
via its public key alone (say "TLSA 2 1 1 ...") then mutations of the
date are not covered by the TLSA record.

Again, and perhaps this should end this thread on the TLS WG list, where
it is not exactly on topic, it seems you're really looking for the
PKIX-TA(0) and PKIX-EE(1) certificate usages, and haven't analysed DANE
closely enough to see why those are already what you suggesting.

> I hadn't come across DNSSEC-Transparency so that probably covers a
> lot/all of the following, however I think it's worth considering CT
> log incorporation as that ecosystem is well established and the
> adoption of self-signed certificates (SSCs) would likely require
> little revision by monitors/user agents etc.

There is no DNSSEC transparency, it is just somewhat plausible
vapour-ware I've made up...

> 1.H: If presented with an SSC the user agent would require TLSA
> records and a complete DNSSEC chain and for the presence of an SCT for
> checking a CT log, doing those increases the level of assurance that
> the presented SSC is valid for the given website. If only one is
> valid, then some misissuance could have occured and a block or warning
> could be displayed to the user.

PKIX-EE with a certificate issued by a CA that participates in CT meet
your needs.  Along with browsers insisting on SCT (if that's what they
do when doing WebPKI).

Of course browser support for TLSA lookup does not look likely in the
mainstream browsers particularly soon.

If you can persuade your users to use a specialised browser with DANE
support (and I guess DoH or DoT required for DNS, else last mile
breakage is rather a barrier to DNSSEC), then perhaps you'd be able to
require PKIX-EE have your "self-signed" (really end-entity server-side
pinned) certificates.

Actually minting the certificates yourself vs. getting them from Let's
Encrypt hardly makes any difference with PKIX-EE, they're free either
way, and Let's Encrypt takes care of the CT side of things.

Sure LE doesn't presently check DNSSEC-signed TLSA records before
issuance.  But a DNSSEC-signed EE public key hash could well be a
supported ACME challenge type, that would in fact be stronger than the
current TOFU "proofs" of domain control.

So if there's an IETF group to nudge along the lines you suggest, it
might be ACME, rather than TLS, with a suitable directive in
DNSSEC-signed CAA records.  This could could be the only acceptable
domain control proof.  Solving also the problem of getting certificates
issued for various services that are not web servers.

    smtp.example.com. IN CAA ...
    smtp.example.com. IN CAA 128 spkialg=SHA2-256
    smtp.example.com. IN CAA 128 spkival=...

would require the CA to support the above critical attributes, and match
the spki value against against the requested public key.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email