IETF Logo Mail Archive

Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)

Shumon Huque <shuque@gmail.com> Fri, 23 February 2018 19:20 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C59271241F3; Fri, 23 Feb 2018 11:20:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQMScODOoorG; Fri, 23 Feb 2018 11:20:13 -0800 (PST)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B21C61205F0; Fri, 23 Feb 2018 11:20:13 -0800 (PST)
Received: by mail-io0-x236.google.com with SMTP id b34so10890182ioj.6; Fri, 23 Feb 2018 11:20:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZksCrGAFNV1cp5fNAjOeChv/ObleQzDSf9UKT67Aoa0=; b=sr4XYxo/FGNFclaBXr9ow6yjFxdv01Px3MocPD0LSvrlidJhtKuGjJ+I4Tq1Fad7oD TQrBQ8j8nEhsCt3HOZebNQ5nI58b0efJrjqbmAdUvdnZtYLxLoz6gXpj/rvB+JnsToSr PTnQA2ZfVSsxKvFacKDCFvMyEA9gZjrSx3hSOCLhwDskC+AbqOah61aJBbh2DmTa5QSW cR2FPyxFwFUumQeEuQAzqPJ55MqYxusjQTCNxspUlWyMtAbbchl6mCQV5EobL9dVgjFe PLxDo4qIc8dq3tLrbm3iz9Mfy06UEG4qXTcL/eWy6dhy9N4pvHaK769YB+aaN7bhY9hb /KiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZksCrGAFNV1cp5fNAjOeChv/ObleQzDSf9UKT67Aoa0=; b=Gjc7i9ktAjmZQyyZ1jj0gQ94GOq2gSJoo+POruUcXqnBzc3FzLa11b3AIqHtoeIEXn BxDTOpXrZz/x7xzyVNh4c8GaHHRNo96Cy9AOGpI1OWzUtYBKjYwd6wvQczZEU4lpR8ub mzV8RK9yT3MMcIoR2XARCysF3p5JrMOr/6rBenIrpc/Sk/YxSBqEGr5HYAgwavt4hoWW nOtbS/2IGVdfh47ls+3qEnwMSTEbs17lndqdowC+vTMn898V14TGi+BWdyK+tdb3PfkH 71gA8fU/Itt5ohwz2an9kUlv8Lbau456Fn3cEKd6DKPTdT67AsxibjKjQVl3W490XyVX yKgQ==
X-Gm-Message-State: APf1xPDPSf2R+EGuhMzy5kGHFod9vK/8O9CtIieG5SSXnV052RHO/CEj sJ8pTSaO+WWlIWguDgPwPl1avcsg1ESJ+H+SqSA=
X-Google-Smtp-Source: AG47ELvYbZ0O6Hg8iQXwHaRY3nbI/Fk2vbpIuKwVjWo4nkdIbp2or2SQbGxWUf8K5Bld4NO+40cQGfTKEWArpd4gLxs=
X-Received: by 10.107.181.133 with SMTP id e127mr3098909iof.243.1519413613028; Fri, 23 Feb 2018 11:20:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.201.198 with HTTP; Fri, 23 Feb 2018 11:20:12 -0800 (PST)
In-Reply-To: <3290585E-2C55-4F8A-A82B-06B6F509ED2A@dukhovni.org>
References: <151800968634.4877.12510609339415982154.idtracker@ietfa.amsl.com> <CAHPuVdWO1LqNBK_f4xxcgP5PLQGDw1OMJiymf3jWXSDftP07+A@mail.gmail.com> <4c90bb83-5ba1-8193-df67-38e25f76caf8@nlnetlabs.nl> <CAHPuVdUVrzwNZDYktnztxuWQ-6yt+vT1aU76D1mL9rm3N3PJFw@mail.gmail.com> <CAHbuEH7aoiBK3vbH77Qdmiu6+ULS5VyefNydpkwM6MV=SmHdEA@mail.gmail.com> <CABkgnnXk7GNSHDZexSrryF6bepG3Zu5FZi6Nzi+gFxbh39-saw@mail.gmail.com> <CAHPuVdXW3avaLVOcsBJXU+P0-Ow+60mKbs1OjLswBZdAAEFNzA@mail.gmail.com> <0FA4B497-4B9A-421B-A9A6-2FEB62D3E41A@dukhovni.org> <CAHPuVdX_0Df29d7E+cQEmyOa==y41tJZAqT1e7ck_q5ca9RJmg@mail.gmail.com> <3290585E-2C55-4F8A-A82B-06B6F509ED2A@dukhovni.org>
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 23 Feb 2018 14:20:12 -0500
Message-ID: <CAHPuVdWPijAZBzsB_uHB6AZ1h+6deupOUqroQH-zMZJoGPkb9w@mail.gmail.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: TLS WG <tls@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-tls-dnssec-chain-extension@ietf.org, tls-chairs <tls-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="001a11444c72abea0a0565e60c82"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VvPWwq6vuPl6q4BAFrhtU9d2nYQ>
Subject: Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Feb 2018 19:20:16 -0000

On Thu, Feb 22, 2018 at 12:21 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:
>
>
> My comments are less about middleboxes (TLS-terminating corporate
> proxies trusted by the user's browser) and more about unwanted
> active MiTM attacks.  If the MiTM attacker has obtained WebPKI
> (PKIX) certificates for the destination, then this new extension
> will not protect the user even when the destination has TLSA
> records, because the server can deny their existence (not offer
> the extension) without proof.
>
> What makes this case different is that the naïve mental model
> of what it offers is support for DANE-based peer authentication
> equivalent to doing the DNSSEC lookups on the client end, but
> with DNSSEC tunneled via the server.
>
> Therefore, some text is probably warranted to disabuse the reader
> of such a naïve view.  What one gets with this extension, in the
> more typical cases in which DANE is not "mandatory", is not
> equivalent to enforcing DANE when it is published by the peer.
> Rather, what one gets is the ability to use DANE to authenticate
> sites that one might not otherwise be able to authenticate (no
> shared WebPKI trust-anchor).
>

Yes, I agree that some elaboration on this limitation of the protocol
is useful. In case you missed it, I do actually document the limitation
quite explicitly in Section 8, which I'll excerpt here:

   "This protocol currently provides no way for a server to prove that it
   doesn't have a TLSA record.  Hence absent whitelists, a client
   misdirected to a server that has fraudulently acquired a public CA
   issued certificate for the real server's name, could be induced to
   establish a PKIX verified connection to the rogue server that
   precluded DANE authentication.  This could be solved by enhancing
   this protocol to require that servers without TLSA records need to
   provide a DNSSEC authentication chain that proves this (i.e. the
   chain includes NSEC or NSEC3 records that demonstrate either the
   absence of the TLSA record, or the absence of a secure delegation to
   the associated zone).  Such an enhancement would be impossible to
   deploy incrementally though since it requires all TLS servers to
   support this protocol."

But perhaps it needs to feature more prominently in the document
rather than being buried in the context of a discussion about mandating
the use of this extension. The limitation exists independent of whether
a TLS application is trying to mandate things.

My suggestion is to move this discussion to the beginning of the
Security Considerations section, and then adding some of your
elaborating points, including a direct comparison with clients querying
DANE records themselves. It might also be worth a brief mention in the
Intro section that the protocol lacks authenticated denial and pointing
the reader/implementer to the Security Considerations section for more
details.

Shumon Huque

v2.23.0 | Report a Bug | By Email