Re: [TLS] Cert Enumeration and Key Assurance With DNSSEC

Ondřej Surý <> Mon, 04 October 2010 16:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B20273A6CAB; Mon, 4 Oct 2010 09:28:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.296
X-Spam-Status: No, score=-1.296 tagged_above=-999 required=5 tests=[AWL=0.404, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JFC1rq1UnrrH; Mon, 4 Oct 2010 09:28:43 -0700 (PDT)
Received: from ( [IPv6:2001:1488:800:400::400]) by (Postfix) with ESMTP id ECFE33A6D8A; Mon, 4 Oct 2010 09:28:41 -0700 (PDT)
Received: from [IPv6:2001:1488:ac14:1400:224:e8ff:fea9:f617] (unknown [IPv6:2001:1488:ac14:1400:224:e8ff:fea9:f617]) by (Postfix) with ESMTPSA id 366D3734236; Mon, 4 Oct 2010 18:29:36 +0200 (CEST)
Message-ID: <>
Date: Mon, 04 Oct 2010 18:29:35 +0200
From: =?ISO-8859-2?Q?Ond=F8ej_Sur=FD?= <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100915 Lightning/1.0b2 Thunderbird/3.1.4
MIME-Version: 1.0
To: Phillip Hallam-Baker <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [TLS] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Oct 2010 16:28:44 -0000


you present your views by cross-posting several other IETF mailing list 
without posting this to  This doesn't give potential 
readers full picture about what's happening in the keyassure and what is 
the general consensus in the list.

So please all - if you want to respond to Phillip's message, first go to 
keyassure mailing list archive[1], then join the the list[2] and comment 
there.  I don't think we want to fill our inboxes with this discussion 
(which should really happen in keyassure) in several copies.

While we value input from other working groups it is already hard to 
follow the discussion in one mailing list and when it splits to many, it 
will be just a mess.



On 1.10.2010 17:29, Phillip Hallam-Baker wrote:
> For the past month I have been participating in the KEYASSURE discussions.
> One aspect of those discussions that was not made clear in the original
> notice sent out is that the group is not only considering key assurance,
> the proposals made are also intended to have security policy semantics.
> This was not apparent to me from reading the list announcement, the
> initial proposed charter or the Internet drafts. I have asked the
> organizers of the group to clarify the matter in the wider IETF
> community but they have not done so.
> In particular I am very concerned about the particular approach being
> taken to security policy. What the proposers are attempting to do is to
> create a mechanism that allows a site that only uses one particular high
> assurance CA to 'protect' themselves against SSL certificates being
> issued by low assurance CAs.
> As such, this is an objective I approve of and is one that I would like
> to see supported in a generalized security policy. It should be possible
> for a site to make security policy statements of the form 'all valid
> PKIX certs for <> have cert X in the
> validation path'.
> What I object to is the approach being taken which is to use DNSSEC to
> replace PKIX certificate validation entirely.
> Now the proponents are trying to downplay this by saying that 'all' they
> are doing is to tell people to 'ignore' PKIX validation. But that
> approach really offends my sense of layering.
> Worse still, the proponents refuse to allow any method of shutting this
> system off. So if I have a site where I want to use DNSSEC validated
> certificates on the mail server, deployment is going to impact my Web
> server.
> Specifically the proposal amounts to using the DNS CERT record to
> publish a fingerprint of all the certificates permitted for use with TLS
> at a specific domain:
> <> CERT TLSFP 0 0 <digest cert 1>
> <> CERT TLSFP 0 0 <digest cert 2>
> It is proposed to replace current TLS certificate processing semantics
> with the following:
> 1) Query for CERT record at <>
> 2) If no CERT record with TLSFP certificate type exists then perform
> normal PKIX validation and return that result
> 3) Otherwise attempt to match the TLS end entity certificate with one of
> the fingerprints specified in the published TLSFP RRs
> 4) If a match is found return VALID, otherwise return INVALID
> Note here that if there is a TLSFP RR that it takes precedence over PKIX
> processing rules.
> There should of course be DNSSEC validation performed in that process as
> well, but the authors have not explained how that is meant to work in
> the context of their proposal so I left it out.
> The defenses made for this approach are of the form 'you have to wear
> big pants to play this game'. In other words if people are going to
> administer these systems and not be burned they are going to have to
> understand what they are doing. I do not consider this a responsible
> approach to protocol design.
> What I would prefer is to have systems that do not need to be
> administered by people at all. That is not possible when the approach
> has hidden side effects that cannot be anticipated by scripts.
> I am very much committed to the idea of doing security policy. But this
> is not an approach I can support. Any policy mechanism has to be
> orthogonal to the key validation strategy in my view. I should be able
> to use any DNS security policy mechanism that the IETF endorses with
> PKIX certificate processing semantics.
> I have proposed an alternative approach in
> This does not currently contain a mechanism to express trust
> restrictions but is designed to be extensible to support such. When I
> proposed ESRV I was unaware that the KEYASSURE proposal was intended to
> have a security policy aspect at all. It is still not made explicit in
> their draft.
> Using the revised version of ESRV I am currently writing, a security
> policy of the form 'always use TLS with any protocol at
> <>' would have the form:
> <> ESRV "tls=required"
> A security policy that was specific to http would be expressed as:
> <> ESRV "prefix=_http._tcp"
> <> ESRV "tls=required"
> or
> <> ESRV "prefix=*"
> <> ESRV "tls=required"
> The reason for this change from the -00 version is that this approach
> supports CNAMEs.
> The reason that I started with the requirement to use SSL is that
> security policy relating to trust criteria is meaningless until you have
> a statement that use of SSL is required.
> I have no objection to doing security policy. But I do have a real
> objection to an approach that negates PKIX semantics as the TLSFP
> approach does.
>     -------- Original Message --------
>     Subject: New Non-WG Mailing List: keyassure -- Key Assurance With DNSSEC
>     Date: Tue, 17 Aug 2010 11:36:02 -0700 (PDT)
>     From: IETF Secretariat <
>     <>>
>     To: IETF Announcement list <
>     <>>
>     CC: <>,
> <>,
>     <>
>     A new IETF non-working group email list has been created.
>     List address: <>
>     Archive:
>     To subscribe:
>     Description: This list is for discussion relating to using
>     DNSSEC-protected DNS queries to get greater assurance for keys and
>     certificates that are passed in existing IETF protocols. The main
>     idea is that a relying party can get additional information about a
>     domain name to eliminate the need for using a certificate in a
>     protocol, to eliminate the need for sending certificates in the
>     protocol if they are optional, and/or to assure that the certificate
>     given in a protocol is associated with the domain name used by the
>     application. In all three cases, the application associates the key
>     or key fingerprint securely retrieved from the DNS with the domain
>     name that was used in the DNS query.
>     For additional information, please contact the list administrators.
>     --
>       Ondřej Surý
>       vedoucí výzkumu/Head of R&D department
>       -------------------------------------------
>       CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
>       Americka 23, 120 00 Praha 2, Czech Republic
> <>
>       tel:+420.222745110       fax:+420.222745112
>       -------------------------------------------
>     _______________________________________________
>     saag mailing list
> <>
> --
> Website:

  Ondřej Surý
  vedoucí výzkumu/Head of R&D department
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  tel:+420.222745110       fax:+420.222745112