Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Viktor Dukhovni <> Wed, 11 April 2018 19:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BF9E7129C56 for <>; Wed, 11 Apr 2018 12:12:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8XVJ9dlY8e2H for <>; Wed, 11 Apr 2018 12:12:51 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9A9DE1271FD for <>; Wed, 11 Apr 2018 12:12:51 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id E9B6A7A3309 for <>; Wed, 11 Apr 2018 19:12:50 +0000 (UTC) (envelope-from
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Wed, 11 Apr 2018 15:12:50 -0400
Content-Transfer-Encoding: 7bit
Reply-To: TLS WG <>
Message-Id: <>
References: <> <> <20180410235321.GR25259@localhost> <>
To: TLS WG <>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Apr 2018 19:12:54 -0000

> On Apr 11, 2018, at 1:33 PM, Benjamin Kaduk <> wrote:
> You say this, but to me it seems a relevant factor when determining the
> target scope for the spec.  That is, if some individual believes that
> DANE is amazing and the Web PKI is crap, then that individual is likely
> to want to see DANE take over for the Web PKI in authenticating Web TLS
> connections, and as such see that as a vital motivating factor for
> any work involving bundling DANE records in the TLS handshake.

My motivation for updates to the draft is that *neither*

	1. WebPKI sucks, DANE rules
	2. WebPKI rules, DANE sucks

is a good zealous position.  Each have their strengths and weaknesses.
For, example, for DV certificates, I am of the opinion that DANE is
more resistant to mis-issuance.

Given that neither 1. or 2. is objective truth, the draft should
support "restrictive" use where neither is fully trusted, and
and a server operator publishes (for _443._tcp) *restrictive*
DANE TLSA records with certificate usage PKIX-EE(1) or PKIX-TA(0),
with the expectation that when/if browsers that adopt and support
this specification they'll enforce *both* WebPKI *and* DANE.  But
that requires downgrade protection.  This applies to not just browsers,
but to any application in which the installed base is WebPKI, and
DANE is of necessity incremental and so opportunistic (used when
published, but not a-priori mandated).  Examples, IMAP, JMAP, NTTP,

As it stands, this draft fails to provide the downgrade protection
needed for opportunistic adoption.  It mentions in Section 8 that
some clients might apply an infinite pin (a fragile strategy), but
fails to describe denial of existence as a valid way to comply with
such a pin should TLSA records be removed.  And without a server
TTL hint, the infinite pins make adoption in multi-datacentre
deployments impractical.

The draft has a serious scope deficiency.  And indeed you're right
that the key issue is *scope*, but an overly narrow scope is
a substantial technical issue.  Further, little attention has
been paid in the WG to the scope issue, and the document sailed
through with discussion mostly around just the data formats,
and the key issue of scope fell through the cracks.

> Someone
> who is less keen on DANE over the Web PKI may not share that enthusiasm
> or confidence for focusing the scope on that use case.

I would say that WebPKI adherents would also want to make sure that
any use in existing WebPKI applications would be *restrictive* and
not either WebPKI or DANE whichever is weaker.  But then the draft
needs to have downgrade protection, and the applications in question
might (converse of RFC7672) require any DANE TLSA records with
usages other than PKIX-TA(0) or PKIX-EE(1) to be treated as "unusable".

So it all comes down to whether it is appropriate to go forward
with a very narrow scope (perhaps even too narrow for the initial
applications, but that's debatable) and ask future adopters in
new spaces to write new drafts (and pay the delay of having to
wait for those to get reviewed and adopted), or amend the
draft to anticipate future uses beyond the immediate motivating
use case.

My view is clearly in favour of an anticipatory scope.  Future
implementors in new applications would likely not bother to
start if the cost of that is going through the IETF process
for a new extension to augment this one.