IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Richard Barnes <rlb@ipv.sx> Thu, 05 April 2018 03:04 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C24127735 for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 20:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hH79fTFDaYkG for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 20:04:14 -0700 (PDT)
Received: from mail-ot0-x22e.google.com (mail-ot0-x22e.google.com [IPv6:2607:f8b0:4003:c0f::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2D99127369 for <tls@ietf.org>; Wed, 4 Apr 2018 20:04:14 -0700 (PDT)
Received: by mail-ot0-x22e.google.com with SMTP id j8-v6so18133867ota.7 for <tls@ietf.org>; Wed, 04 Apr 2018 20:04:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TGcHwgk8aDw5JoUjtyvdZyGmVvD5Leyfa3EvB1mno5E=; b=LV865ioVpwa4WIBVTMyo0PoFc9jdqbKVzOZF1k0GmXBOjqqqjfuZB5IPjqgorWVLBb xNqheddG8ePDCdAGNUlknokxShH3RseIsUL/ckORazpnIPluLwgB0Te+UGRxRVBd2E8e 5x8LbBMg4Gh55dB6RmSd1k70huJeR8PcG4mV/kLLZ6+Uxkti+Wa9KOHss0BMqDMwFxpa 1vXYCaXZdlEfpaHamPfIR7kactPunYEsLOtLuuVCLPld6mrgAK2vxltAgSnBb5dJhx29 Ebu3x23fevjsoAIayXB6xfaG73ti6vm9SAyrqRjVIX/SvBbCQe57AM4RCMdk9YNdXYEs abMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TGcHwgk8aDw5JoUjtyvdZyGmVvD5Leyfa3EvB1mno5E=; b=iP0MDv7NwduTwyPgDKP6U54CFPqufETEPQHrRORBn1McRzJN75vBa7VrlRmJ8SU3mh kh09JlUVKTGDLfGoCWXS1n9ZvnhE8yscQdXHOWIGXF7pHXm/SSjJfqo+akg/Ku0k6J/Y counGFo9hlWkzbv4zGKLPgtvuoCAoT9C3NUD1Loo+3e3vnN6v+eIU2wu188tiGnNRbX7 4ZxF3JTLXfjAt2DmNE6VkkUkPf3p4ImnsRnO6VBnTHOYKR8eagFdNldKalTZnKwXMVwF Q+fykG7zahky69JgqoyiH+2IaEU+r1OHTRlDK4mrRWbpdcGaLo3uRTyF1xGKdmtsgEmU lnLw==
X-Gm-Message-State: ALQs6tBVRQeffOLXfj10ezvxIKc+S3sn/LAWXPjFamBS0hIv8u7b9dT9 wTLIK9sBPNDbPiJ3NrjbV6g6MGg82CGnl40IoGOVww==
X-Google-Smtp-Source: AIpwx4+7zidy23sCnh3ZG871JgUYRMtGBZzaTisixmLbPgolBZIQEuFW373BY1zkEjs8YpHesr3AkmuIuuEDlI/Juec=
X-Received: by 2002:a9d:5403:: with SMTP id j3-v6mr12980621oth.52.1522897453940; Wed, 04 Apr 2018 20:04:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <EDB0F480-1272-4364-9A3D-23F9E1A02141@dukhovni.org> <CABkgnnWBdp=KtmBVDcrR9-5tdVPfhWG7pWR0FE57H=iWS37dWw@mail.gmail.com> <C52564E1-ABCD-4E1A-8517-19743BD2180B@dukhovni.org> <CABcZeBMcvtQ6Ko-2Rmoq3BSVBOqdQwJ65vVrPK0cpSJ9nQCS3w@mail.gmail.com> <20180405022007.GG25259@localhost> <CAL02cgSOQVZR96Veh7EEMCoQO7-+5ucdBiAUcAXGt6QFEopXNA@mail.gmail.com> <CAL02cgTQgpAGBv1+-2GTCPSgNDD5TMd0xQw8bQDpe9BiacBarA@mail.gmail.com> <20180405023106.GJ25259@localhost> <CABcZeBPcqLrSdAcJaeXKsLY6vzT1UquCdiQX0yHSBDoV0re7eA@mail.gmail.com>
In-Reply-To: <CABcZeBPcqLrSdAcJaeXKsLY6vzT1UquCdiQX0yHSBDoV0re7eA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 05 Apr 2018 03:04:03 +0000
Message-ID: <CAL02cgTB3FsBYz5jjF2xbOWXSr38q3dVsi1Qo-Ptyhhzeh=60Q@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Nico Williams <nico@cryptonector.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c58db2056911310a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mM1n5EtI9eMdNfSjCowdXEiUEIc>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 03:04:17 -0000

And just to be clear, by "downgrade attack", you mean "normal PKI
authentication that we rely on today".  There's nothing in here that
degrades security (except maybe the legacy crypto in the DNS); it's just
not meeting the bar that you are setting.   That doesn't mean there's not
still some utility to be had.

--Richard


On Wed, Apr 4, 2018, 22:57 Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Wed, Apr 4, 2018 at 7:31 PM, Nico Williams <nico@cryptonector.com>
> wrote:
>
>> On Thu, Apr 05, 2018 at 02:39:43AM +0000, Richard Barnes wrote:
>> > Re-adding the list.
>>
>> Removing one level of quotes.
>>
>> > On Wed, Apr 4, 2018, 22:34 Nico Williams <nico@cryptonector.com> wrote:
>> >> On Wed, Apr 04, 2018 at 07:22:38PM -0700, Eric Rescorla wrote:
>> >> > I don't think that this comparison is particularly apt.The
>> >> > representation in HSTS is simply "I support HSTS". The representation
>> >> > in HPKP is "I will use either consistent keying material *or* a
>> >> > consistent set of CAs". The representation here is "I will continue
>> to
>> >> > have DNSSEC-signed DANE records". That is a significantly more risky
>> >> > proposition than continuing to support TLS (and I'm ignoring the risk
>> >> > of hijacking attacks that people were concerned with with HPKP), and
>> >> > so this seems rather more like HPKP to me.
>> >>
>> >> Without a TTL (with zero meaning "clear the pin to DANE") this
>> extension
>> >> can only really be used with mandatory-to-use-with-DANE protocols,
>> where
>> >> the commitment to "continue to have DNSSEC-signed DANE records" is
>> >> implied.
>> >
>> > This is just not true.  As I said in my earlier message, servers can
>> > switch based on the ClientHello.
>> >
>> > Clients advertise which methods they support, servers switch, and they
>> > both see how often DANE gets used.  When it gets high enough, they turn
>> off
>> > the fallback.  Just like every other TLS feature we've ever done.
>>
>> If clients and servers just negotiate the use of DANE, then there's a
>> downgrade attack when DANE is the only outcome desired by the server
>> operator but some WebPKI CA is willing to issue a rogue certificate for
>> it.
>>
>> That downgrade is a fatal flaw for any protocols where this extension
>> isn't mandatory.
>>
>> QED.
>>
>> We cannot be serious about security while promoting a protocol with a
>> glaring downgrade attack.
>>
>
> Unfortunately, you are conflating the assertive and restrictive use cases.
>
> To recap, there are two potential reasons why one might want thi
> technology:
>
> 1. Assertive: To avoid having to engage with the WebPKI (e.g., because it's
> a pain). This rationale was stronger back before Let's Encrypt, but
> I suppose some people may still feel that way.
>
> 2. Restrictive: To protect yourself from compromise of the WebPKI.
>
> Yes, if your motivation is #2, then the flow you suggest is a real problem,
> but it's not a problem for #1. While not an author of this document, I'd
> understood it's primary motivation to be #1, and that's what Richard's
> earlier notes have said as well.
>
> -Ekr
>
>
>

v2.23.0 | Report a Bug | By Email