Re: [TLS] Enforcing Protocol Invariants

Hubert Kario <hkario@redhat.com> Fri, 16 November 2018 15:08 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A97F130EDA for <tls@ietfa.amsl.com>; Fri, 16 Nov 2018 07:08:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6rT705MY3f-N for <tls@ietfa.amsl.com>; Fri, 16 Nov 2018 07:08:19 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 865BD130ED9 for <tls@ietf.org>; Fri, 16 Nov 2018 07:08:19 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BBC619E60A; Fri, 16 Nov 2018 15:08:18 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-200-35.brq.redhat.com [10.40.200.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id CBD001054FD2; Fri, 16 Nov 2018 15:08:17 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Fri, 16 Nov 2018 16:08:16 +0100
Message-ID: <2620706.ylDbxqFaDo@pintsize.usersys.redhat.com>
In-Reply-To: <2168AD22-D717-48B5-9370-26E72B4ECF86@dukhovni.org>
References: <CAO7N=i0g9d9x5RdF_guKm3GDAxVRHSV+eHffs6kiJm6dWO7tvw@mail.gmail.com> <CAHOTMVKrfbmxJ-gk+dR_XaozjX=BJqmEpmHEFAs2GuMi4MBMMA@mail.gmail.com> <2168AD22-D717-48B5-9370-26E72B4ECF86@dukhovni.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart9839415.idQUyZEuo5"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 16 Nov 2018 15:08:18 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PinaF_ElyTjL4qZORk_72559R84>
Subject: Re: [TLS] Enforcing Protocol Invariants
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2018 15:08:22 -0000

On Tuesday, 13 November 2018 00:13:58 CET Viktor Dukhovni wrote:
> [ I agree that this thread is off topic for this WG, thus below
>   just a short OT aside on some oft-repeated critiques of DNSSEC. ]
> 
> > On Nov 12, 2018, at 2:15 PM, Tony Arcieri <bascule@gmail.com>; wrote:
> > 
> > The cryptography employed by the X..509 PKI is substantially more modern
> > than what's in DNSSEC. Much of DNSSEC's security comes down to 1024-bit
> > or 1280-bit RSA ZSKs.
> It is true that while the KSKs tend to be 2048-bit RSA, ZSKs are typically
> 1024-bits or 1280-bits.
> 
> 	http://stats.dnssec-tools.org/#keysize
> 
> That said, all the TLDs are using 2048-bit KSKs, and we're seeing
> increasing adoption of ECDSA in DSSSEC:
> 
> 	http://stats.dnssec-tools.org/#parameter
> 
> and the .CZ and .BR TLDs switched to ECDSA this year, and more will likely
> follow.
> 
> Furthermore, the weakest link in the chain for both WebPKI and DNSSEC is not
> the cryptography.  Rather it is operational weaknesses in the enrollment
> processes.
> 
> For WebPKI, we basically have TOFU by the CA based on apparent
> unauthenticated control of a TCP endpoint as the basis of certificate
> issuance, occasionally strengthened via DNSSEC(!) validated CAA records
> and/or ACME challenges.

but that TOFU is global, not local to a client

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic