Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Nico Williams <> Mon, 16 April 2018 16:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 41B1D12DA13 for <>; Mon, 16 Apr 2018 09:33:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oLgVSmDKYfZy for <>; Mon, 16 Apr 2018 09:33:27 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8D5D112D95F for <>; Mon, 16 Apr 2018 09:33:27 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 024C4A004915; Mon, 16 Apr 2018 09:33:27 -0700 (PDT)
Received: from localhost ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 97BA5A000B32; Mon, 16 Apr 2018 09:33:26 -0700 (PDT)
Date: Mon, 16 Apr 2018 11:31:23 -0500
From: Nico Williams <>
To: Jim Fenton <>
Message-ID: <20180416163123.GZ25259@localhost>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Apr 2018 16:33:29 -0000

On Fri, Apr 13, 2018 at 12:16:43PM -0700, Jim Fenton wrote:
> From reading the abstract and introduction to this draft, it appears to
> be proposing mostly a performance improvement for retrieving web pages
> using DANE authentication. There is some security improvement, but that
> seems to be incidental to the performance improvement. That would argue
> in favor of publishing the draft as-is. However:

It's not just a performance improvement.  It's also a last-mile
technology: for clients that cannot perform DNS lookups due to being in,
e.g., hotel networks.  And it adds security.

Using DANE adds security, that's for sure, since one can then rely on
both, PKIX *and* DNSSEC, which can only add security.  Or, if one does
not trust the WebPKI, then only DNSSEC.  I have no opinion as to which
of WebPKI alone, WebPKI + DNSSEC, or DNSSEC alone, is best, but I have
an opinion as to who ought to decide that: the server operator.  This
document gives the server operator that power, but it does not give the
server operator any power over client pinning behavior, which means that
operators will not turn this on for apps where it's not mandatory.

That is, without revision, this document really does not help security
as much as with a rather minor revision.  We should want that minor
revision because the (at-this-time-intangible) gain is potentially
large, while the (at-this-time-intangible) cost/risk of not making that
revision is equally large.

> From the discussion I have read, there seems to be disagreement about
> what even the semantics of this pinning would be. And if it's unclear to

Among proponents there are no disagreements over pinning semantics.
Pinning would be only to the use of the _extension_, not to the use of
DANE, nor to any particular DANE usage.  That is, if the server does not
have TLSA RRs, it could still use this extension [to satisfy a client
pin] to send the denial of existence proof, and the client's pin would
be satisfied.

> the WG participants, it's going to be even less clear to others that are
> implementing this. I am also of the opinion that pinning is somewhat

How would that follow?  Shouldn't we see proposed text before we can
tell if it would be unclear to implementors?

> subtle; it requires a detailed understanding of the mechanism to remove
> (expire) the pin, and if done wrong can result in availability problems.


(A) gives us a modicum of pin-clearing capability: if you get a denial
of existence then you could clear the pin on the client.

However, (A) + (B) (i.e., (C)) would give us the ability to separate the
pin set/clear from the DNSSEC payload of the extension.  *This* would
give server operators all the control they need to feel safe enabling
pinning behavior.

It is much simpler to change a TTL in a server configuration than to
make changes in the relevant DNS zone(s).  Thus (C) or some (C') (see
below) would be much better than (A).

> In addition, the pins here would be maintained in individual browsers.

And other user-agents for other application protocols (e.g., MUAs).

> There is less benefit from pinning because unlike some other pinning
> mechanisms, there isn't any leverage of the TOFU experience had by others.

TOFU works reasonably well.  It's risky for an attacker to mount an
active attack that will be detected if the client has a pin -- this risk
acts as deterrent.

> This requires further thought, and I do not support adding pinning to
> this draft. Perhaps as a separate draft, but the WG needs to decide on that.

I wouldn't mind a (C'): a variant of (C) where we get denial of
existence and a one- or two-byte TTL (one by count of weeks or two-byte
count of hours) with de minimis text about it, leaving pinning semantics
to a separate document.  In such a (C') we'd elide all pinning (or most*)
in this document.

* We might want to say that if the TTL is zero then the clients MUST NOT
  pin and must clear any pin.  And we might do this in spite of not
  describing any pinning semantics -- explicitly leaving pinning
  semantics to a future document.