IETF Logo Mail Archive

Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 22 February 2018 16:09 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E1F12D7F1; Thu, 22 Feb 2018 08:09:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rH-bEBQ7JxW; Thu, 22 Feb 2018 08:09:01 -0800 (PST)
Received: from mail-ot0-x22a.google.com (mail-ot0-x22a.google.com [IPv6:2607:f8b0:4003:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 325F812D7F4; Thu, 22 Feb 2018 08:08:54 -0800 (PST)
Received: by mail-ot0-x22a.google.com with SMTP id 79so5049942oth.11; Thu, 22 Feb 2018 08:08:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=e6MRrLC7mAXaVbiZQCds1mpFN1OZipLIN2WALf0EwBQ=; b=R93fVELpXa+rXRRcdVIc7fnr0NW4jIm8u90PryqRvrBO9+iAnnyAPIjZv04/GO14Ke KO+KWFeobVVhAjFgeuBTKW1Xz2+Z64PIZxO4IU5ZB/5pjhfERxeHIuB+MsPC5GqSgHc1 kzOsaMd2q5p4fAv5QH3jxClOB+QaOZtU/DdJYctExWXJ0SLYNRBEBWLCIseRfdnGRRFh 74Nq18MJVLa9oLak4hI6N3BHDx/bbxK3EKhLvR3NhumytoE/oIRaglLjCE5jy0mZWMwd EjjGmeMJWXI16UzIHFPTQz8Y2DDGX/v7UTfDNbfJ/HWcsjPEIWHsfuOjrinUz9Gw2GCZ dDQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=e6MRrLC7mAXaVbiZQCds1mpFN1OZipLIN2WALf0EwBQ=; b=jnqRzopCm+iohe1Y/2n4DSo36lv69KwkzzHeRqu0AJuodZKiv/Oo+/gF/Yn0IdCZfT KjtOVyf5o+OG8Cy3OP30giH2dsYhclVABbbSZFMjsoCfFAtRORtmGhKPFxb1t/9WhI8Q Yqdjd8Lq0Mg1mNTPnsb+Ss3hkjty49sF4UrT7q59rtw9bFVAX4A8HFH64aQXsmH4OhuI dHi41JRpIqctnXzb65ewPceF8lL46XHXClw2h8dQoOYcwNBn2I+b4gGNbue18dgWDk5z XaJA+j+9T90SMikQ/9NQzaIq+YU4MMW9ceXIaKY9UwkKFrpQB/8tMiVl0oJhuGDOTT9w 6F+g==
X-Gm-Message-State: APf1xPBMU3/UqtlqzplGbEbFih/RZ1zwHUtIRIPGLLrfllAiLGttprK/ OqSE/tThYxjZ7setKs5vc+F5HJ30npLzM+kQPKA=
X-Google-Smtp-Source: AH8x224j51NWEFUoUBrhvyMApZHyPF02bMI2jSlh4cK7/pmJqx2krKDXlhg5/UjTYpoTAD+d5NRmhufzw39G1236YEo=
X-Received: by 10.157.11.199 with SMTP id 65mr5362131oth.40.1519315733472; Thu, 22 Feb 2018 08:08:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.46.119 with HTTP; Thu, 22 Feb 2018 08:08:13 -0800 (PST)
In-Reply-To: <CAHPuVdX_0Df29d7E+cQEmyOa==y41tJZAqT1e7ck_q5ca9RJmg@mail.gmail.com>
References: <151800968634.4877.12510609339415982154.idtracker@ietfa.amsl.com> <CAHPuVdWO1LqNBK_f4xxcgP5PLQGDw1OMJiymf3jWXSDftP07+A@mail.gmail.com> <4c90bb83-5ba1-8193-df67-38e25f76caf8@nlnetlabs.nl> <CAHPuVdUVrzwNZDYktnztxuWQ-6yt+vT1aU76D1mL9rm3N3PJFw@mail.gmail.com> <CAHbuEH7aoiBK3vbH77Qdmiu6+ULS5VyefNydpkwM6MV=SmHdEA@mail.gmail.com> <CABkgnnXk7GNSHDZexSrryF6bepG3Zu5FZi6Nzi+gFxbh39-saw@mail.gmail.com> <CAHPuVdXW3avaLVOcsBJXU+P0-Ow+60mKbs1OjLswBZdAAEFNzA@mail.gmail.com> <0FA4B497-4B9A-421B-A9A6-2FEB62D3E41A@dukhovni.org> <CAHPuVdX_0Df29d7E+cQEmyOa==y41tJZAqT1e7ck_q5ca9RJmg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 22 Feb 2018 11:08:13 -0500
Message-ID: <CAHbuEH4QbhWdw36E+4wAYcO5jxjr-bTBw_rHL5JutvPS91iAEg@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: Viktor Dukhovni <viktor@dukhovni.org>, The IESG <iesg@ietf.org>, draft-ietf-tls-dnssec-chain-extension@ietf.org, TLS WG <tls@ietf.org>, tls-chairs <tls-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rWNfcl3daDuUdj8dgY-ll92vz9E>
Subject: Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 16:09:02 -0000

On Thu, Feb 22, 2018 at 10:59 AM, Shumon Huque <shuque@gmail.com> wrote:
> On Wed, Feb 21, 2018 at 1:49 PM, Viktor Dukhovni <viktor@dukhovni.org>
> wrote:
>>
>>
>>
>> > On Feb 21, 2018, at 11:00 AM, Shumon Huque <shuque@gmail.com> wrote:
>> >
>> > On Tue, Feb 13, 2018 at 5:50 PM, Martin Thomson
>> > <martin.thomson@gmail.com> wrote:
>> > On Wed, Feb 14, 2018 at 4:07 AM, Kathleen Moriarty
>> > <kathleen.moriarty.ietf@gmail.com> wrote:
>> > > What's the behavior when the middlebox is a proxy, let's say existing
>> > > a managed network?  I presume from from section 3.1 that this
>> > > negotiation doesn't work in that instance unless sites configured for
>> > > this are not subject to the proxy as is often done for financial site
>> > > access from corporate networks.  It would be good to know if it does
>> > > work and that is addressed with the text Mirja calls out for her #1
>> > > question.  Having this clarified could be helpful.
>> >
>> > If there is a MitM, then this extension simply isn't negotiated.
>> > That's pretty well understood.  I don't see why that requires special
>> > mention.
>> >
>> > Yeah, I agree Martin .. this is the same as with any other extension.
>>
>> Actually, I don't think it is quite the same.
>
>
> I meant same in the sense that if any extension is blocked then it
> can't be used. What the effect of that is depends obviously on what
> functionality the extension is providing. The TLS client can at least detect
> such blocking/stripping, and alert the application or fallback to something
> else.
>
> Have other TLS extension specs gone into the details of middlebox
> impacts?

This one is a little different though as end users are expecting e2e
without interference with this extension.  Understanding the behavior
is important for administrators and users as Viktor stated.

Best regards,
Kathleen
>
>>
>>   This extension may
>> be naïvely expected to provide a different peer authentication
>> mechanism than the traditional WebPKI.  Users who might expect this
>> extension to protect them from WebPKI compromise via DANE TLSA
>> records, need to understand that such protection only exists when
>> DANE is enforced (mandatory) by the client.
>>
>> The absence of DANE TLSA records, which is downgrade-resistant
>> when the client has access to DNSSEC authenticated denial of
>> existence (makes its own DNSSEC lookups) is no longer downgrade-
>> resistant when delivered via this extension if the client
>> is willing to accept just WebPKI in the (apparent) absence of DANE
>> TLSA records.
>
>
> Some of this is already discussed or at least implicit in the draft.
> If you want to propose specific text to add or modify, please do so ..
>
> Shumon.
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email