Re: [TLS] Precluding bilateral opt-in for downgrade protection.

Viktor Dukhovni <> Sat, 28 April 2018 17:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8AA6E1270FC for <>; Sat, 28 Apr 2018 10:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mqct-BpqcL6E for <>; Sat, 28 Apr 2018 10:40:28 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6D5951200B9 for <>; Sat, 28 Apr 2018 10:40:28 -0700 (PDT)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id DC6747A3309 for <>; Sat, 28 Apr 2018 17:40:26 +0000 (UTC) (envelope-from
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Sat, 28 Apr 2018 13:40:25 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <>
Message-Id: <>
References: <> <>
To: TLS WG <>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <>
Subject: Re: [TLS] Precluding bilateral opt-in for downgrade protection.
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Apr 2018 17:40:31 -0000

> On Apr 28, 2018, at 12:26 PM, Shumon Huque <> wrote:
> I am in support of doing the pinning in a new extension, and will
> even help you write the draft if you like. I'm pretty sure we could
> have easily done this in the time that has been taken up on list
> endlessly and repetitively discussing this.

I should note that substantial issues were discovered (and will
be addressed) during the consensus call, which ended Apr 18th,
and that there is not yet a revised version of the draft that
addresses these, so while the discussion back and forth has
been lengthy, it has gone on in parallel with process that
needed to take place and is ongoing.  So discussion of doing
more than removing the unilateral pinning that was present and
adding denial of existence which was needed has not as yet caused
any additional delay.

> Clearly I can speak only for myself, but I strongly suspect others
> in the WG will also support this (as long as it's in a separate
> extension), so if you pursue this approach, I think you'll succeed
> in adding this functionality, and will not be actively blocked by
> others.

We may yet have to see how much support or opposition the follow-on
document will meet.  What continues to be puzzling is resistance to
adding a field that imposes negligible burden on the present spec,
and would clearly be included in the follow-on extension.  It might
well be the only thing that's in the follow-on extension, and so
provisioning space for it has a strong chance of simplifying the
burden on future implementations that would need only implement code
for just one extension structure instead of two.  Worst-case we have
two reserved bytes in the current extension.

> As far as I can assess, the reason you are getting resistance for
> adding a pinning field in this spec is two fold:
> First, there is no agreement that your reason for doing pinning,
> i.e. that DANE needs downgrade resistance against PKIX attacks
> is even valid.

The reasons are an easy exercise in logic if one is to be able to
deploy DANE at all, incrementally in *any* existing WebPKI application
(say IMAP).  This was addressed weeks back when I explained that
without downgrade protection the deployment of this extension is all
cost and no benefit.  There was agreement on this point even from those
who opposed adding the downgrade protection.

> This can be clearly seen from various comments on
> list and at IETF/London, such as the point made many times that 
> the original purpose of this draft was to add DANE as an additional 
> possible authentication mechanism in TLS, not to position it as a 
> mechanism that if available unconditionally trumps PKIX authentication..

Those comments are gut reactions that have not considered the issue with
care.  We must discount them.  This extension can only work as a mandatory
sole mechanism.  All other models fail the cost/benefit analysis.

Some may want to deny others the opportunity to use this extension in
additional contexts.  My reaction to that is that they are under no
obligation do use it themselves, and setting the field to zero opts
them out of such use.  Nothing I'm proposing mandates downgrade protection
for the extension.  I am just asking for it to be possible, on a mutual
opt-in basis between client and server.

> If you look back at my back-and-forth answering IESG review comments, 
> you will observe that I had to add text to the draft that says TLS clients 
> can fail back to normal PKIX authentication if DANE fails for any reason
> (i.e. a protocol behavior that is the opposite of downgrade resistance).

Clients can choose to do that whether or not the downgrade protection
is available, and servers can opt-out of downgrade protection.  What
we are talking about is whether downgrade protection is to be unavailable
even if both sides wanted it, and the application supported it.

I have no intention of forcing anyone to enable downgrade protection in
code they develop and support or systems and applications they deploy.
Their choice to leave it off.  My problem is with the IETF leaving a
gap in the specification that removes the option of downgrade protection.

> There are other comments like (paraphrasing) "What's the downgrade 
> problem? The only security downgrade issue I see is DNSSEC's use of 
> legacy crypto"?

Folks who don't trust DNSSEC are unlikely to deploy the extension,
but if they do, will presumably want PKIX-EE(1) or PKIX-TA(0) so
that WebPKI is also employed.  These however require downgrade
protection.  Without downgrade protection you're stuck sometimes
trusting just DANE.

If one considers DANE to be too weak the solution is to make it
STRONGER not weaker!!!  To make it stronger you need downgrade
protection so that you can use PKIX-EE(1) and PKIX-TA(0) and
ignore DANE-EE(3) and DANE-TA(2) as "unusable".

> Clearly, for most DANE proponents, an obvious goal for the protocol
> would be to protect against PKIX attacks. In an ideal world, I share
> that view also. But I also recognize the other views I just described,
> and am willing to make compromises to get a foot in the door for DANE
> first. There will always be opportunities to improve the protocol
> later.

The other views are either largely irrelevant or self-contradictory.

  * Those with no plans to use this extension have little standing
    to dictate its content.

  * Those who plan to use it, but only in mandatory contexts have
    little standing to preclude other uses.

  * Those who would use this extension in opportunistic contexts
    (incremental deployment, when available), but oppose downgrade
    protection, have failed to consider the threat model and cost/benefit
    analysis in any detail:

    + If one considers DANE weak then it must not be used alone, and
      to be useful in combination with WebPKI it requires downgrade

    + If one considers DANE strong than one should want to avoid downgrades
      to the weaker WebPKI.

> In fact, the legacy crypto issue will always be a huge impediment for
> any DANE proponent in arguing against the Internet PKI.

In the context of this extension I am NOT arguing for or against the WebPKI,
nor for or against DANE.  I am arguing for a sensible definition of this
mechanism that is not crippled to handle just one deployment model (just
applications where it is mandatory, what are these applications where
the extension is to be mandatory?)

> An argument
> I've heard many times: Since most of the Internet PKI has moved to
> 2048-bit RSA or better, why would I degrade the security of my system
> by moving to DANE, which in most cases is protected by 1024-bit RSA ZSK's
> in the weakest part of the chain (some chains are even weaker)?

Then they should oppose the present draft, require downgrade protection
and limit their  applications to just PKIX-EE(1) and PKIX-TA(2).  The
present draft says:

   A TLS client making use of this specification, and which receives a
   DNSSEC authentication chain extension from a server, MUST use this
   information to perform DANE authentication of the server.

My pull request changes MUST to SHOULD and adds necessary caveats about
"unusable" TLSA records (such as perhaps DANE-EE(3) and DANE-TA(2) if
the application wants to always use *at least* WebPKI).  Another option
is to just delete this paragraph, though it would be better to then
say "MAY" and still list the proposed caveats, silence is worse than
explaining the additional considerations.

Visceral dislike of DNSSEC is not a good reason to further weaken
DNSSEC-based mechanisms.

> And if so,
> why should PKIX not need downgrade resistance against DANE, rather than
> vice versa?

Indeed, hence PKIX-EE(1) and PKIX-TA(0), and potential application
profiles that support just these certificate usages, but then
(surprise!) you need downgrade protection for this extension to be
at all useful.

> For DANE proponents to make a stronger case, they need to
> urgently solve this problem. I'm not sure how to do that quickly - it
> probably involves getting ICANN to impose rules on TLDs prohibiting
> weak keys (which would likely take years).

We are NOT arguing for or against DANE or WebPKI.  We're defining
an extension that makes it possible to obtain DANE TLSA records,
from the TLS server.  This mechanism with some rare exceptions
(greenfield applications that purportedly mandate DANE, do they?)
needs downgrade protection to be useful.

> The second reason is that pinning really is a controversial feature.

Which is why it is OPTIONAL, and disabled explicitly in the initial

> And for this reason, putting it in the core spec will be difficult.

There is no pinning in the core document, only a reserved field
that explicitly proscribes unilateral pinning.

> I won't repeat all the arguments and concerns expressed already, many
> of which I share by the way.

Most of those arguments are substantially flawed.  Only if
one believes that downgrade protection must not be allowed
to be specified and one not only never intends to use this
extension in one's own applications, but would want to make
sure that the option to do so is not available others (be it
out of paternal considerations to save them from their own
folly?) would it make sense to oppose the reserved field.

Secondarily, one might just give up the fight or choose to
to fight another day, but then one can stay silent, it is
not a valid opposing view.

> So moving this feature into a new optional
> extension (both the pinning field and a description of the associated
> behavior) appears to me to be the past of least resistance.

I wish I could be confident that such a specification would
be allowed to move forward.  My fear is that the same visceral
opposition to DANE and DNSSEC would play out, and so I may as
well try to get past these now.

> By continuing to argue your position, the most you can hope to
> achieve is deadlock.

The topic is fair-game while the draft is still being revised.

> (Addendum: I did want to thank you for pushing on the issue of
> explicitly allowing authenticated denial of existence chains in the
> current draft. In environments where all TLS servers support this
> extension, this allows the protocol to be bulletproof in a way that
> satisfies even the security purist, so I'm glad it's in the core
> spec.).

Thanks.  Please a look at the first commit in the pull-request.  It
covers blocks of text that I think need revision now that denial of
existence is an option.

Please also see the proposed change to the first paragraph of section 6.