Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 13 April 2018 02:55 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DAB61243F6 for <tls@ietfa.amsl.com>; Thu, 12 Apr 2018 19:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBPHYI-xkjW6 for <tls@ietfa.amsl.com>; Thu, 12 Apr 2018 19:55:52 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DBB7120227 for <tls@ietf.org>; Thu, 12 Apr 2018 19:55:52 -0700 (PDT)
Received: from [10.200.0.109] (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id F3D237A3309 for <tls@ietf.org>; Fri, 13 Apr 2018 02:55:50 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CABcZeBPJY1tsnCTYFbLoFSUX8pdVE7ZCi-+7kWsZkx8vwR_0YA@mail.gmail.com>
Date: Thu, 12 Apr 2018 22:55:49 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <57382E5B-3562-426F-8E1D-58E140296DBC@dukhovni.org>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <CAHPuVdXfVQ5ZYL+dTvFeTfOaz2NNPrqxvnWuqJkxu0aaKDF_Sg@mail.gmail.com> <20180410235321.GR25259@localhost> <20180411173348.GP17433@akamai.com> <alpine.LRH.2.21.1804120438460.24369@bofh.nohats.ca> <CAL02cgSuTOaT_NwnpXaa8DPhNJhzqZwepRL+J29BzcBfCTDtHw@mail.gmail.com> <CAHbuEH78KNyk8fnHThRkCERKPjZzYppi1uhkDx6kL_t448q0_g@mail.gmail.com> <20180412175441.GD20782@akamai.com> <6db83a59-1f0f-f552-0d48-6e2a8d43f602@nomountain.net> <CABkgnnUwOjkY1_KejV-YOw3YRqjFfzaYurEY1OpZ8phQVhcWLg@mail.gmail.com> <114FE78D-F340-4752-BEF0-459FE1548A80@dukhovni.org> <aa7ca33a-4acd-c770-a43c-df7a1f66c782@nlnetlabs.nl> <E3918F11-9AD7-4C06-9173-5175ECACD16B@dukhovni.org> <CABcZeBP6-7_NNmC+7iVnNXbQw7p3jJH4eC1-EjY4C4CwdWWNcg@mail.gmail.com> <702DDD4B-4609-476C-9BAA-6AA05978135F@dukhovni.org> <CABcZeBPJY1tsnCTYFbLoFSUX8pdVE7ZCi-+7kWsZkx8vwR_0YA@mail.gmail.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ojjY3DtFnM0v0Oad-f2HlYbtzdc>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 02:55:54 -0000


> On Apr 12, 2018, at 7:47 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> In the current document, there is no expectation that clients will pin the
> server's use of TLSA and therefore the server can safely stop using
> TLSA (or run a mixed server farm). However, because this text implies
> that the client *could* pin, in order to ensure interoperability the server
> would have to provide authenticated denial at the risk of connection
> failure with such clients. However the text also does not require that
> the server do so. Thus, a conformant client and a conformant server
> can fail if the server just stops using TLSA.

Another way of looking at this argument is that we should not recommend
that servers should return denial of existence, because if we do, then
servers that don't return denial of existence might find themselves less
interoperable than those that do.  So everyone should be less interoperable,
so not that nobody is relatively disadvantaged.

An honest assessment of the situation is that indeed returning denial
of existence is more generally interoperable in the face of unknown
client behaviour, and so should be recommended as suggested.

I am only mildly sympathetic to the slippery slope argument that this
may facilitate expectations of such behaviour in clients.  We are not
here to police future design decisions for fidelity to pure
interpretations of the draft.  If client expectations are desirable
in future applications, and servers coöperate, then hooray, we have
a specification that meets real world needs.

That said, the proposed language is not intended to be ann a-priori
license to "pin as you see fit" with no prior application-specific
standard defining what constitutes interoperable behaviour.  This
specification provides a mechanism, not policy.  Applications will
have to define the relevant policy options.  My goal all along has
been to make sure that the mechanism is sufficiently flexible to
accommodate a range of application policies.  [ Thus also the proposal
for the additional TTL hint, which supports a broader range of possible
policies. ]

If you'd like me to craft revised option (A) text, that includes a suitable
caveat, I can try.  Or you or someone else can propose an alternative.
I only ask that it be honest about the server's options: serving the denial
of existence (DoE) records does interoperate with a broader range of client
policies.

In an application where the extension is absolutely optional, i.e. clients
MUST NOT (and do not in practice) expect consistent use by the server,
returning the DoE records would not be substantively different from simply
leaving out the extension.  The client must be able to function in some
fashion with the extension missing, whether legitimately or stripped.

In applications where some clients expect downgrade protection the server
returning DoE records continues to work and the one not returning them might
not interoperate with clients that expect to consistently learn the truth
(good news or bad) about the servers TLSA records.

Does anyone want to propose better text?

-- 
	Viktor.