IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Eric Rescorla <ekr@rtfm.com> Thu, 05 April 2018 03:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4DF127369 for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 20:07:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qoekJIWeihtS for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 20:07:24 -0700 (PDT)
Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2BB3127077 for <tls@ietf.org>; Wed, 4 Apr 2018 20:07:23 -0700 (PDT)
Received: by mail-oi0-x234.google.com with SMTP id e123-v6so21217599oih.13 for <tls@ietf.org>; Wed, 04 Apr 2018 20:07:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lf3QGATpPHMGrRBKAelGgPJt/rsnEkeWVz10Sz5qMWw=; b=Zxh9XxVcDxDYzZHAtQQaURYRhaHUqB8xeRrQWplNHPka9FJSFYmP2PiE7HzGcJCO94 RTf7mSHXEru6ohpWrsyE9GWz/IwmZNeS6ZN3s6tA/OWn2SHb/b87ceY/3diXV35mQKf+ 2GL/uHHBTVxWiMklO6IwlQViojfv82MXus1QeSd0rhokpE+bvkslrDAw6CUq6H75QIcP 8tMdUrxfR+Izd9B+2qSop9kpXSIZAgFPcqYeYIS2zwa7xZo4lmfxgJzyGnxq70/GwJGx ZZ+QHCR7NE+8yIQtbopuD9yzGBs05OyZZTsOblZQgHHDJxIYE4gGoSAwroPnSWotAK/x kH/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lf3QGATpPHMGrRBKAelGgPJt/rsnEkeWVz10Sz5qMWw=; b=LP3fICcX8xOsxaXHs0ErinYRPyxjDzqWeJIsMxqoFCmJ5JfBhJBzsjGuH/0tUPvWgF 7uIeoRqq+xb4MTkC7Og0N1Dk31F3ZTjHk7YLi/uybSVoqkiqCZCW/ShXFuUG/Jo8AGm9 PdFdTwkB+OTjow7+hoApivS0A/81RhgSLXrfD/XEPGTnWd89lO7Wr+4mw2c7OhacDjQj cmNl8+aXbbFYHqnn74D80KaBEUnB/wxcuwh0R2/rR7/dhBfNSH+fFxh6wqDyqfBUo7oO 44+4cbgMRUH3f4FRyqAta9ug7/70wfVkOBtboN8+d+3dxsyMoopvPifQwiFh8rPuFE7n i65Q==
X-Gm-Message-State: ALQs6tBdUDIt5lGd5i4MfFSqNU0KrWo4lBHYRvFJB/VOLvzSveM/a1J2 FMdKboD0+qTj5X7Ghx9lr4bmcTvs/u1gMucybiAcXRqTHXc=
X-Google-Smtp-Source: AIpwx4+Z5DDsb1kaEx28feMi/VOGcQM84lpju0EfpCb2WNlT5H2PNOc2yzuTWutezvbywaYrWKSZ3PdQQXi5+Q1lmHk=
X-Received: by 2002:aca:3114:: with SMTP id x20-v6mr12029440oix.108.1522897643200; Wed, 04 Apr 2018 20:07:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.138.18.130 with HTTP; Wed, 4 Apr 2018 20:06:42 -0700 (PDT)
In-Reply-To: <20180405023456.GK25259@localhost>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <EDB0F480-1272-4364-9A3D-23F9E1A02141@dukhovni.org> <CABkgnnWBdp=KtmBVDcrR9-5tdVPfhWG7pWR0FE57H=iWS37dWw@mail.gmail.com> <C52564E1-ABCD-4E1A-8517-19743BD2180B@dukhovni.org> <CABcZeBMcvtQ6Ko-2Rmoq3BSVBOqdQwJ65vVrPK0cpSJ9nQCS3w@mail.gmail.com> <20180405022007.GG25259@localhost> <CABcZeBMGdXPF9if8Z_Gnc5MoOrZAOPEV2K3i5Bd_ewC6fdxOEg@mail.gmail.com> <20180405023456.GK25259@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 04 Apr 2018 20:06:42 -0700
Message-ID: <CABcZeBM8MPMhpb9LpqkWAV7LmsUabk3Q7CtxLFaFMFLQVg-H0g@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000d8b340569113dec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gvWDGG9qPKuGMJytPbIk8GwB6Xg>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 03:07:25 -0000

On Wed, Apr 4, 2018 at 7:34 PM, Nico Williams <nico@cryptonector.com> wrote:

> On Wed, Apr 04, 2018 at 07:44:53PM -0700, Eric Rescorla wrote:
> > On Wed, Apr 4, 2018 at 7:20 PM, Nico Williams <nico@cryptonector.com>
> wrote:
> >
> > > On Wed, Apr 04, 2018 at 07:22:38PM -0700, Eric Rescorla wrote:
> > > > I don't think that this comparison is particularly apt.The
> > > > representation in HSTS is simply "I support HSTS". The representation
> > > > in HPKP is "I will use either consistent keying material *or* a
> > > > consistent set of CAs". The representation here is "I will continue
> to
> > > > have DNSSEC-signed DANE records". That is a significantly more risky
> > > > proposition than continuing to support TLS (and I'm ignoring the risk
> > > > of hijacking attacks that people were concerned with with HPKP), and
> > > > so this seems rather more like HPKP to me.
> > >
> > > Without a TTL (with zero meaning "clear the pin to DANE") this
> extension
> > > can only really be used with mandatory-to-use-with-DANE protocols,
> where
> > > the commitment to "continue to have DNSSEC-signed DANE records" is
> > > implied.
> > >
> >
> > This simply isn't true, for the reasons Richard Barnes indicated in his
> > response
> > to you.
>
> See my response to him.  For any non-mandatory use of this extension,
> without the pinning semantics there is a glaring downgrade attack.
>

I've responded to this separately.


> > HPKP had a TTL and yet as a practical matter, people found it very
> > problematic.
>
> I can see why: you have to commit to one certificate in the chain not
> changing.


No, this isn't correct, in two respects.

1. HPKP pins the SPKI, not the certificate, it's about the *key* not
changing,
and intermediates and roots change quite infrequently.
(https://tools.ietf.org/html/rfc7469#section-2.1.1)

2. It's not one key. HPKP allowed you to pin multiple keys and in fact
*required* you to set a backup pin
(https://tools.ietf.org/html/rfc7469#section-2.5)


Whereas here you only have to commit to continue to publish
> TLSA RRs (and signing them and your zone).  This is a big difference.
>

I don't think that's it all obvious that this is going to be easier to
guarantee,
especially given the rather high DNSSEC misconfiguration rate
(https://link.springer.com/content/pdf/10.1186%2Fs13388-015-0023-y.pdf,
https://indico.dns-oarc.net/event/14/contribution/14/material/slides/0.pdf).

> And, of course, if you're concerned with hijacking attacks, the
> > hijacker will just advertise a very long TTL.
>
> But it's a TOFU-ish thing.  The server impersonator has to have the
> right timing or else be detected -- that's very risky for them, and a
> deterrent to even trying.  It's not fool-proof, but it's not nothing
> either.
>

Given that the motivation for this kind of hijacking was generally
expected to be vandalism or ransom, this doesn't seem very comforting.

-Ekr


> Nico
> --
>

v2.15.0 | Report a Bug | By Email