IETF Logo Mail Archive

[TLS] Re: -03 update to draft-beck-tls-trust-anchor-ids

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 21 December 2024 13:58 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37DF0C1840C8 for <tls@ietfa.amsl.com>; Sat, 21 Dec 2024 05:58:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdA5NuovMGXz for <tls@ietfa.amsl.com>; Sat, 21 Dec 2024 05:58:28 -0800 (PST)
Received: from smtp.dnamail.fi (sender001.dnamail.fi [83.102.40.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EEBDC180B7C for <tls@ietf.org>; Sat, 21 Dec 2024 05:58:26 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by smtp.dnamail.fi (Postfix) with ESMTP id F334E22228C9 for <tls@ietf.org>; Sat, 21 Dec 2024 15:58:24 +0200 (EET)
X-Virus-Scanned: X-Virus-Scanned: amavis at smtp.dnamail.fi
Received: from smtp.dnamail.fi ([83.102.40.178]) by localhost (dmail-psmtp01.s.dnaip.fi [127.0.0.1]) (amavis, port 10024) with ESMTP id gkY2B85NsKcm for <tls@ietf.org>; Sat, 21 Dec 2024 15:58:24 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-153-79.rev.dnainternet.fi [87.92.153.79]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hliusvaa@dnamail.internal) by smtp.dnamail.fi (Postfix) with ESMTPSA id 1004B21BEB10 for <tls@ietf.org>; Sat, 21 Dec 2024 15:58:18 +0200 (EET)
Date: Sat, 21 Dec 2024 15:58:17 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: TLS List <tls@ietf.org>
Message-ID: <Z2bJeZmfkTvGbQUE@LK-Perkele-VII2.locald>
References: <CAD2nvsQcCnP08iB5NyBBan1wCa27fK-unjfbcdfqRRePgiAHcQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAD2nvsQcCnP08iB5NyBBan1wCa27fK-unjfbcdfqRRePgiAHcQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: ISA2ODJF2SVUSYRHBOKT34AKWKGFOVIU
X-Message-ID-Hash: ISA2ODJF2SVUSYRHBOKT34AKWKGFOVIU
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: -03 update to draft-beck-tls-trust-anchor-ids
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fphoWq0rEkWT2y5Bhx8FhttEuWs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Wed, Dec 18, 2024 at 02:14:50PM -0800, Devon O'Brien wrote:
> We have cut a new -03 version of the Trust Anchor Identifiers draft:
> 
> URL:
> https://www.ietf.org/archive/id/draft-beck-tls-trust-anchor-ids-03.txt
> 
> Status:   https://datatracker.ietf.org/doc/draft-beck-tls-trust-anchor-ids/
> 
> HTML:
> https://www.ietf.org/archive/id/draft-beck-tls-trust-anchor-ids-03.html
> 
> While we didn’t get any mic time in Dublin to present the updates since our
> presentation in Vancouver, we had several conversations with attendees and
> have incorporated some suggested changes as a result.

Some issues I have been thinking about (this all concentrates on server
certificates):


1) Certificate chain mismatches between services on the same server:

Trust Anchor IDs uses ServiceMode HTTPS/SVCB records to store list
of available roots in DNS. These are logically per (logical) server.

However, the available roots may differ between two services that
are pointed to the same server via AliasMode HTTPS/SVCB records.
Especially if considering intermediates as roots for intermediate
elision (e.g., Let's Encrypt randomly issues off two intermediates).

Furthermore, ECH adds another implicit service to every server in
order to update ECH keys or to disable ECH.


2) Load-balancing certificate flip-flop:

If server is load balanced, reconnects may go to different server,
which might be out of sync with the previous server.

As consequence, root lists from previous connection might not be
correct for reconnection (especially intermediates).

Just because some service has one IPv4 and one IPv6 address does not
mean there might not be plenty of flip-flop with updates.


3) Connections racing with certificate changes:

Even without load balancing, the root lists might change between
reconnections (especially intermediats). Servers usually withdraw
certificates suddenly with no grace period.

In server software of capable of hot-reloading certificates, such
races could even occur between sending HRR and client retrying.


4) How to repair mismatches:

I think that the only feasible way to repair mismatches on server
side would be to use HRR (regardless of any potential bad
interactions with ECH).

I think altering the TLS state machine for adding a new optional
pair of flights would be far too big change. And since reconnects can
not be transparent, those are no-go for many uses. Including ones that
would benefit a lot from trust anchor negotiation.

I don't think there is a fourth way.


And reconnects can pile up exponetially:

- Client tries with bad ECH, bad trust anchors, server fixes trust
  anchors.
- Client tries with bad ECH, good trust anchors, server fixes ECH.
- Client tries with good ECH, bad trust anchors, server fixes trust
  anchors (for different service!).
- Client tries with good ECH, good trust anchors. This succeds.


Then reconnects also bypass some TLS 1.3 downgrade protections. The
client has to be very careful not to introduce downgrade attacks in the
process. Furthermore, no authentication of any kind is possible here,
so the previous connection might have been to an attacker.


5) Client filtering of IDs:

Intermediate elision presumably requires including Trust Anchor IDs
for intermediates, and that presents some special considerations.

I presume that intermediate IDs should not be included without having
an root ID the intermediate chains to.

And where CA used is known to have unpredictable/backup issuers, or
rotate issuers, it could be useful to include related issuers even
if the server does not signal those (it is just a few dozen bytes at
most, I think the 5-set Let's Encrypt uses is exceptionally large).



Then some ideas:

- If Trust Anchor IDs fails to negotiate a certificate, it should just
  be ignored. That is, fall back to whatever processing would happen
  without the extension.

  Server should not explicitly fail unless it requires trust anchor
  negotiation, and is just plain incompatible with clients that do not
  support it.


- Send all the issuer chains in every (extended) ACME response, or have
  dedicated endpoint to download the issuer chain bundle per issuer.

  This avoids having ACME client combine multiple chains from
  alternatives. Which is not as easy as it sounds because the EE
  certificates can differ, which can lead to really bizarre edge cases.

  Having bundle of issuer chains also fits a lot better with the
  configuration model of a lot of existing TLS server software.




-Ilari

v2.29.0 | Report a Bug | By Email | System Status