Re: [TLS] Why TLSA RR and not CERT RR?
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 26 June 2022 20:55 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E30BC1A7F2E for <tls@ietfa.amsl.com>; Sun, 26 Jun 2022 13:55:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUwkqPZOP_h0 for <tls@ietfa.amsl.com>; Sun, 26 Jun 2022 13:55:38 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D91E2C13181F for <tls@ietf.org>; Sun, 26 Jun 2022 13:55:38 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 10C46FFA21; Sun, 26 Jun 2022 16:55:35 -0400 (EDT)
Date: Sun, 26 Jun 2022 16:55:35 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <YrjHx4E8LcSyZAbm@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <fbd4826a-8604-9170-b7ea-a5ed86ef1462@htt-consult.com> <CABcZeBP3ew2YXKgcfgQwzBTPjG=diAYURBJ+8d1ULJ3pHSUigg@mail.gmail.com> <108daf4e-37e0-f32e-cf1b-70d51c45987a@htt-consult.com> <9e8e4eb7-09b1-a98c-bda6-e11108897140@htt-consult.com> <CABcZeBOiOL_m5-f5rSrxRo3Ag7M1UfNPEtVVn5Or_TGJ+6iFig@mail.gmail.com> <da7c89ee-91aa-c572-7ec7-b0e1b0eb1e8c@htt-consult.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <da7c89ee-91aa-c572-7ec7-b0e1b0eb1e8c@htt-consult.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nzy7iMrFCPncDzCLfRQE8jEr-bE>
Subject: Re: [TLS] Why TLSA RR and not CERT RR?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2022 20:55:39 -0000
On Sun, Jun 26, 2022 at 04:29:38PM -0400, Robert Moskowitz wrote:
> I will use them in draft-ietf-drip-registries for our X.509 certs and
> our 'custom' attestation certs (private OID will be needed). And then
> the powers-that-be can sort it out as we move forward.
Why do the certificates need to be delivered via DNS? Are TLS or DTLS
not suitable as protocols between the subject and relying party?
What is the management model for these certificates? How will key
rollover at the subject be coördinated with changes in the DNS?
TLSA records are flexible in that they can specify trust-anchor keys or
certificates (typically their digests) as well as EE keys or
certificates. Multiple TLSA records can be published at the same RRset,
and rollover is facilitated by requiring only one to match.
The need to tightly synchronise regular certificate rollovers with DNS
changes can be avoided by keeping EE keys stable, or publishing a stable
issuer trust-anchor key. Alternatively, one can pre-publish future
EE public keys and then use that key in a later certificate rollover
if observed in DNS for a sufficient number of TTLs, or else renew the
certificate with the extant key.
So there are well-understood (if not yet universally practiced)
operational practices that enable robust deployments of DANE TLSA.
Is there something similar for the proposed use of CERT? Is publication
of (often multi-kilobyte) full certificates in DNS a good idea?
--
Viktor.
- [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Eric Rescorla
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Eric Rescorla
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Viktor Dukhovni
- Re: [TLS] Why TLSA RR and not CERT RR? Jim Reid
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? John Levine
- Re: [TLS] Why TLSA RR and not CERT RR? Phillip Hallam-Baker