Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 16 October 2018 22:16 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CCF130E52 for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 15:16:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zf8K2OYnjBzw for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 15:16:37 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4910B130E4B for <tls@ietf.org>; Tue, 16 Oct 2018 15:16:37 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id CAA52F99F for <tls@ietf.org>; Tue, 16 Oct 2018 18:16:35 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id EDE1820356; Tue, 16 Oct 2018 18:16:25 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: tls@ietf.org
In-Reply-To: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com>
References: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com>
Date: Tue, 16 Oct 2018 18:16:22 -0400
Message-ID: <875zy1czbd.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/i-QiIGuIghsjgaCObq97dmxYzD0>
Subject: Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 22:16:39 -0000

Hi all--

I'm disappointed in how long this WG is taking to get
draft-ietf-tls-dnssec-chain-extension out the door.

I agree with both Tom and Viktor that the current draft seems to be
misaligned between the goals and the stated scope.

I wanted the draft to be done by now because i think it will be useful
in "greenfield" scenarios -- ones where the use case itself can mandate
the extension without negotiation, but i understand Viktor's point that
without any sort of negotiated pinning mechanism, the draft is probably
not useful for non-greenfield scenarios (without pinning the existence
of the extension, it cannot reduce the attack surface represented by the
CAs, and instead only represents an additional vector of attack).

I can understand why people want to be able to make this useful for
non-greenfield scenarios, but it appears that we're hung up on the
pinning details.  I actually don't think that extension pinning needs to
be particularly hard, and i don't think it's as dangerous as HPKP's
pinning, but i won't go too far into the weeds here.  Just a quick
summary of my understanding:

 * The existence of a pin only requires that the service operator
   maintain the ability to respond to this extension in the future -- it
   doesn't require specific keys, or even the use of DANE itself.  It is
   not nearly as large a risk as HPKP's pins were.

 * Pinning fears are based on two scenarios: (a) footgun, where the
   service operator makes a mistake, or (b) a malicious pin is set by an
   adversary who has owned your domain.  (a) is overwhelmingly more
   common, and is what we should focus on.  In the (a) scenario, the
   admin has already deployed the extension, so there is no risk.  The
   (b) scenario only matters if a service cannot deploy the extension as
   intended, which is more of a chicken/egg problem of deployment and
   implementation.  I don't think that's a huge risk but if we really
   want to try to cover it, i think there are ways that we could
   minimize it as well.

That said, it sounds like negotiating the details of how to do this
pinning is the main blocker, and i'm sick of this proposal being blocked
(because i want it for "greenfield" implementations last year).

So one way forward would be to complete this extension without the
pinning (explicitly acknowledging that it will not be useful for
non-greenfield implementations on its own) and get it out the door.
Then we can subsequently create a new extension that is only a
"how-to-pin-dnssec-chain-extension".

This is an approach that would expose at the protocol layer the ugly
truth about how hard it is to get something through the IETF process,
but if it helps to break the impasse, i'd be all for it.  I'm willing to
provide text for why this is only useful for greenfield implementations,
if asked.

Alternately, if people could agree on a simple and clear pinning scheme
that we could get out the door all in one piece, i'd be happy with that
too.

I will be sad if we manage to not get anything at all completed for
another year.

   --dkg, tired of waiting