Re: [TLS] draft-ietf-tls-dnssec-chain-extensions security considerations
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 04 July 2018 02:44 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793EC130EA4 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 19:44:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wfe8y9w5e-h2 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 19:44:50 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 543E9130934 for <tls@ietf.org>; Tue, 3 Jul 2018 19:44:50 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 4410C2975E9; Tue, 3 Jul 2018 22:44:49 -0400 (EDT)
Date: Tue, 03 Jul 2018 22:44:49 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20180704024449.GI85096@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <CAP8yD=vdpdw3=_O5u_zPxVWiVTYj=CA+k-ZHNTyqkU+_KkH4CA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAP8yD=vdpdw3=_O5u_zPxVWiVTYj=CA+k-ZHNTyqkU+_KkH4CA@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rYYm6Kgw36VvkF4Xs21aymagRYg>
Subject: Re: [TLS] draft-ietf-tls-dnssec-chain-extensions security considerations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 02:44:53 -0000
On Tue, Jul 03, 2018 at 10:41:18AM -0400, Allison Mankin wrote: > I haven't chimed in on the mailing list on this draft, but I'm one of the > people who had discussions with browserfolk in hallways, in the corners of > interim meetings for HTTP2, and other such places, in order to see what it > would take to get a start on TLSA use by browsers. The present dilemma for this draft is how to ensure that it has enough security benefit to warrant deployment and sufficient scope to cover would-be applications. The draft as originally approved had two major defects: * Required not only extension support, but also DNSSEC and DANE TLSA records in order to support "greefield" applications that mandate the extension from the get-go. * No plausible path to incremental adoption by existing WebPKI applications, that can't mandate the extension (let alone DNSSEC and DANE), but might employ DANE when present, but otherwise continue with WebPKI alone. The first defect is addressed by incorporating denial of existence. This allows a server to present an extension that proves lack of DNSSEC for a containing DNS zone or just absence of the associated TLSA records. In this way "greenfield" applications that mandate the extension can interoperate with servers that have not yet deployment DNSSEC or DANE. The second defect requires at least the ability to mandate the extension, when a server commits to continue to present it for some time. Since pinning is potentially fragile, we should be pinning as little as possible. Hence once again only support for the extension, rather than a continued expectation of DNSSEC, DANE, particular certificate details, ... This is NOT HPKP. This requires denial of existence support, adding which fortunately seems to have broad consensus. > Looking forward to discussion in Montreal. I'd like to see as much of the discussion as possible on list, where we can get responsive comments from informed participants, and not just "humming". > > 1. Do you support the working group taking on future work on a pinning > > mechanism (based on the modifications or another approach)? > > I support future work if there is extensive engagement and involvement by > members of the browser community who have expressed concerns about pinning. * TLS is not exclusively for HTTPS. * This extension is NOT just about browsers. It should support IMAP, SUBMIT, POP, XMPP, NNTP, ... * The "concerns about pinning" are often related to the unsurprising failure of HPKP. It is unfortunate that HPKP has tainted "pinning". And yet the IETF has just approved MTA-STS, which pins a commitment to WebPKI authentication along with a list of the domain's MX hosts. It is easy to taint the proposed downgrade protection mechanism by associating it (incorrectly) with HPKP. The proposal DOES NOT pin the peer certificates or keys. This is an STS-lite proposal, that pins only a capability: support for the extension for a particular TLS service endpoint. And in this case no "testing" mode is applicable, and sub-domain pinning is impactical. Looking at the existing STS-like protocols, it is easy to see that only their TTL applies here. > Reserving the bytes without a mechanism is not a good idea, so no. I don't see a rationale for this. The mechanism is a TTL to be carried in those bytes. We're willing to accept a variable-length field in order to accommodate objections that a TTL *might* not be enough, and a compelling case for additional attributes might be made in the future. I'm confident that no such case will hold up to scrutiny. -- Viktor.
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Nico Williams
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Joseph Salowey
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Bill Frantz
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Allison Mankin
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Eric Rescorla
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Melinda Shore
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Eric Rescorla
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Martin Thomson
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Eric Rescorla
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters
- [TLS] draft-ietf-tls-dnssec-chain-extensions secu… Benjamin Kaduk
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-dnssec-chain-extensions … Paul Wouters