Re: [TLS] draft-ietf-tls-dnssec-chain-extensions security considerations
Paul Wouters <paul@nohats.ca> Thu, 05 July 2018 03:59 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC751130DEA for <tls@ietfa.amsl.com>; Wed, 4 Jul 2018 20:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJ-MjHSIlVBj for <tls@ietfa.amsl.com>; Wed, 4 Jul 2018 20:59:48 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFC22130DDA for <tls@ietf.org>; Wed, 4 Jul 2018 20:59:47 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41LkdZ0jH2z39k; Thu, 5 Jul 2018 05:59:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1530763186; bh=h4CYIx67s7b5wNew5zEuuhWOo9+QpisTh9xqaeIipHM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=SesQUbbYosr446YtYnFybDwGhXMEXZFdWP0xzdbLnZX6f8uap7mD9Gvfi2eBYIA1m Ib4xPqZJMIrlbnBAvnSRh3NyFC56JrBkNYTElGCc/7GSZolg21wnPObx7/nK0MvfP+ cL2ciLcc6RUGEAnYObJiRlhovZPJouNE1JvLrP9c=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id OZNSTBONYUBG; Thu, 5 Jul 2018 05:59:43 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 5 Jul 2018 05:59:41 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 3A1EB79AAE; Wed, 4 Jul 2018 23:59:40 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 3A1EB79AAE
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 2FAF1407821F; Wed, 4 Jul 2018 23:59:40 -0400 (EDT)
Date: Wed, 04 Jul 2018 23:59:40 -0400
From: Paul Wouters <paul@nohats.ca>
To: Eric Rescorla <ekr@rtfm.com>
cc: "<tls@ietf.org>" <tls@ietf.org>
In-Reply-To: <CABcZeBMDKeYM_jnB+2hNREHOLNwOpMAfm1E69hbGdmZMFBCMRw@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1807042334230.18860@bofh.nohats.ca>
References: <20180604203947.GW13834@akamai.com> <alpine.LRH.2.21.1806050858340.8057@bofh.nohats.ca> <CAOgPGoBPfL46ogCGa4tSA2q9dikuTwrY766R5y3U-DD1k+XudQ@mail.gmail.com> <CABcZeBOQ0AueZup+sLbK1g2nJ_GUP5Oq+pzRaKmQ0y=Foa4-MA@mail.gmail.com> <20180705023310.GL85096@straasha.imrryr.org> <CABcZeBMDKeYM_jnB+2hNREHOLNwOpMAfm1E69hbGdmZMFBCMRw@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/blooTry4KKYioClTeK1PfCM8PvM>
Subject: Re: [TLS] draft-ietf-tls-dnssec-chain-extensions security considerations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 03:59:52 -0000
On Wed, 4 Jul 2018, Eric Rescorla wrote: > In any case, as Martin Thomson says, we have a perfectly good > extension mechanism which can be used to add pinning later without creating any placeholder here. The IETF should not publish security protocols that are trivially downgraded. The work _should_ really be completed within this document to address all downgrade attacks. As a _compromise_ there have been suggestions done to let this document be published while commiting to a method for downgrade protection. That was not an invitation to punt it to infinity or an invitation to have a bis replace this entire document just to be ignored because some people only care about the DOH case. Besides, we would end up with identical specs apart from two bytes and the same discussion about these two bytes would happen about whether the new document Obsoletes: this one. It won't resolve the issue at all and meanwhile some people have implemented and deployed a protocol that can be trivially downgraded, or bothered to just not implement because it offers no real security benefit. If you don't like TLS extension pinning, come up with another mechanism that resolves the downgrade attack. But note that none of the comments against using two bytes for hour scale extension pinning withstood scrutiny and half of them were appeals to authority or based on people's gut feelings. So far, I've only heard incorrect comparisons with other pinning mechanism problems that ignore the fact that the source of this extension material is in DNSSEC and that the extension data is a "live snapshot" of active DNSSEC data and thus never stale/old/bad/brokeb. > That would first require there being consensus to do pinning. Again, why do you think it would be even valid to have consensus to deploy a trivially downgradable security mechanism? I would certainly expect the IESG to send this back to the drawing board, even if they missed it on their first evaluation round. Paul
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Nico Williams
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Joseph Salowey
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Bill Frantz
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Allison Mankin
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Eric Rescorla
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Melinda Shore
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Eric Rescorla
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Martin Thomson
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Eric Rescorla
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters
- [TLS] draft-ietf-tls-dnssec-chain-extensions secu… Benjamin Kaduk
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters