Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 16 October 2018 22:16 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CCF130E52 for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 15:16:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zf8K2OYnjBzw for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 15:16:37 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4910B130E4B for <tls@ietf.org>; Tue, 16 Oct 2018 15:16:37 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id CAA52F99F for <tls@ietf.org>; Tue, 16 Oct 2018 18:16:35 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id EDE1820356; Tue, 16 Oct 2018 18:16:25 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: tls@ietf.org
In-Reply-To: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com>
References: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com>
Date: Tue, 16 Oct 2018 18:16:22 -0400
Message-ID: <875zy1czbd.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/i-QiIGuIghsjgaCObq97dmxYzD0>
Subject: Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 22:16:39 -0000
Hi all-- I'm disappointed in how long this WG is taking to get draft-ietf-tls-dnssec-chain-extension out the door. I agree with both Tom and Viktor that the current draft seems to be misaligned between the goals and the stated scope. I wanted the draft to be done by now because i think it will be useful in "greenfield" scenarios -- ones where the use case itself can mandate the extension without negotiation, but i understand Viktor's point that without any sort of negotiated pinning mechanism, the draft is probably not useful for non-greenfield scenarios (without pinning the existence of the extension, it cannot reduce the attack surface represented by the CAs, and instead only represents an additional vector of attack). I can understand why people want to be able to make this useful for non-greenfield scenarios, but it appears that we're hung up on the pinning details. I actually don't think that extension pinning needs to be particularly hard, and i don't think it's as dangerous as HPKP's pinning, but i won't go too far into the weeds here. Just a quick summary of my understanding: * The existence of a pin only requires that the service operator maintain the ability to respond to this extension in the future -- it doesn't require specific keys, or even the use of DANE itself. It is not nearly as large a risk as HPKP's pins were. * Pinning fears are based on two scenarios: (a) footgun, where the service operator makes a mistake, or (b) a malicious pin is set by an adversary who has owned your domain. (a) is overwhelmingly more common, and is what we should focus on. In the (a) scenario, the admin has already deployed the extension, so there is no risk. The (b) scenario only matters if a service cannot deploy the extension as intended, which is more of a chicken/egg problem of deployment and implementation. I don't think that's a huge risk but if we really want to try to cover it, i think there are ways that we could minimize it as well. That said, it sounds like negotiating the details of how to do this pinning is the main blocker, and i'm sick of this proposal being blocked (because i want it for "greenfield" implementations last year). So one way forward would be to complete this extension without the pinning (explicitly acknowledging that it will not be useful for non-greenfield implementations on its own) and get it out the door. Then we can subsequently create a new extension that is only a "how-to-pin-dnssec-chain-extension". This is an approach that would expose at the protocol layer the ugly truth about how hard it is to get something through the IETF process, but if it helps to break the impasse, i'd be all for it. I'm willing to provide text for why this is only useful for greenfield implementations, if asked. Alternately, if people could agree on a simple and clear pinning scheme that we could get out the door all in one piece, i'd be happy with that too. I will be sad if we manage to not get anything at all completed for another year. --dkg, tired of waiting
- [TLS] Interim notes and draft-ietf-tls-dnssec-cha… Christopher Wood
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Tom Ritter
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Daniel Kahn Gillmor
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… John Levine
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Sean Turner
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk