Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Willem Toorop <> Tue, 10 April 2018 10:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 16B0D124234 for <>; Tue, 10 Apr 2018 03:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id j4jw25TiopT2 for <>; Tue, 10 Apr 2018 03:04:03 -0700 (PDT)
Received: from ( [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 90942126D0C for <>; Tue, 10 Apr 2018 03:04:03 -0700 (PDT)
Received: from [IPv6:2a04:b900:0:1:8fd:440a:450b:c41e] (unknown [IPv6:2a04:b900:0:1:8fd:440a:450b:c41e]) by (Postfix) with ESMTPSA id A118A8F0E for <>; Tue, 10 Apr 2018 12:04:01 +0200 (CEST)
Authentication-Results:; dmarc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1523354641; bh=L+plF0ZfxX/Wf/OzhYNatT95V7bJ5WFGMlAdI2H1G4o=; h=Subject:To:References:From:Date:In-Reply-To; b=H7mpRCDWIqAQedPm7pYC93T6WVn+b/9FxMbf0gQqfhR7GmQE98Bw5Dgenoi2eU/bq qdFMYzmbg9jjt/8cscs1XXtX0ZTXGOHeU2DDhHLNw6VOW896wGUY/sXlqUDfvT3GuN sGtUewoMYM63yD6g7O69hKLh5sc+LKzB6+O5LNuM=
To: "<>" <>
References: <>
From: Willem Toorop <>
Message-ID: <>
Date: Tue, 10 Apr 2018 12:04:01 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Apr 2018 10:04:06 -0000

I support separation of concerns: publish as is, and start new work to
extend existing Strict Transport Security mechanisms to include DANE
authenticated TLS.

Currently the draft is describing only a single mechanism: Letting
owners of a (DNSSEC signed) domain vouch for their own TLS services.
Not needing a third party for this is IMHO already valuable.

HTTP Strict Transport Security (HSTS) [RFC6797] is extensible with
directives.  A new document could provide a useDANE directive for HSTS.
That document could furthermore make more explicit, that when the chain
extension delivers a denial of existence proof or a proof of insecurity,
that a fallback to non-DANE PKIX has to be done.

The chain extension already contains verification of Denial Of Existence
proofs, because that is needed for verifying wildcard expansions.  It
does not explicitly mention the fallback to non-PKIX with a Denial of
Existence proof or insecurity proof for the TLSA record, because it is
(currently) irrelevant when the extension could simply be left out too.
However, it does implicitly by referring to the DANE RFCs in paragraph 2
of section 6. Verification:

>   If the authentication chain is correctly verified, the client then
>   performs DANE authentication of the server according to the DANE TLS
>   protocol [RFC6698] [RFC7671].

Because the current draft is describing only the embedding of DANE
records to authenticate the TLS service, it is quite short and to the
point.  I am afraid that built-in STS would bloat it with a lot of
concerns that are not specific for the simple mechanism of embedding DANE.

The extension as currently is does not add security like DANE over DNS
protocol would have. This is pointed out in in the draft in Section 8,
in which a mechanism like STS is also already suggested.

I have a few questions too.

Currently the extension contains only DNSSEC data, which can be verified
to be authentic and correct.  Is this also true for an additional TTL
value?  Is it safe to do STS at TLS ClientHello time?  Why is there not
a STS specification at TLS level already (which would also cover imaps,
pops etc.), but only for protocols one layer above TLS?

-- Willem

Op 04-04-18 om 19:50 schreef Joseph Salowey:
> Hi Folks,
> Some objections were raised late during the review of
> the draft-ietf-tls-dnssec-chain-extension. The question before the
> working group is either to publish the document as is or to bring the
> document back into the working group to address the following issues:
> - Recommendation of adding denial of existence proofs in the chain
> provided by the extension
> - Adding signaling to require the use of this extension for a period of
> time (Pinning with TTL)
> This is a consensus call on how to progress this document.  Please
> answer the following questions:
> 1) Do you support publication of the document as is, leaving these two
> issues to potentially be addressed in follow-up work?
> If the answer to 1) is no then please indicate if you think the working
> group should work on the document to include 
> A) Recommendation of adding denial of existence proofs in the chain
> provided by the extension
> B) Adding signaling to require the use of this extension for a period of
> time (Pinning with TTL)
> C) Both
> This call will be open until April 18, 2018.
> Thanks,
> Joe
> _______________________________________________
> TLS mailing list