IETF Logo Mail Archive

[TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks

David Benjamin <davidben@chromium.org> Mon, 22 July 2024 16:52 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6F3BC14F6BB for <tls@ietfa.amsl.com>; Mon, 22 Jul 2024 09:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.403
X-Spam-Level:
X-Spam-Status: No, score=-9.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4HTBZUjQs0k for <tls@ietfa.amsl.com>; Mon, 22 Jul 2024 09:52:07 -0700 (PDT)
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF0B1C14F6A8 for <tls@ietf.org>; Mon, 22 Jul 2024 09:52:07 -0700 (PDT)
Received: by mail-yb1-xb2a.google.com with SMTP id 3f1490d57ef6-e05f2adab8bso4358116276.1 for <tls@ietf.org>; Mon, 22 Jul 2024 09:52:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1721667127; x=1722271927; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XuLYS/RE5IdvGYY6d4H2b2z3auY3NQu82HsOgAnX88I=; b=Z9CSQWUEoWzJ//nXevXc70iwQ+jn6JUezsAojRvq6v0Vi1t9EAUHirvvbtCVWEaNrj qsfqOUvRlBDRQs3Hv9PSVaYhJ3jGWjaP9b3UiSn9Dx6ExuiTDpmh3gmuofyi6Vjwc3A8 XrgKCeblA5hCXJccevz2+FAnmsE2EBsMlQjq0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721667127; x=1722271927; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XuLYS/RE5IdvGYY6d4H2b2z3auY3NQu82HsOgAnX88I=; b=mx5OzSiTPL5+FGe0eEljvHkJNVLJzzLkVpd6UQ85gHMvHycCgXpvxbXeBMaoazrz7+ d6Zlvt+XmANsqYNNsQ7ay1ntSZbh+cdc6H/APwt/w6sdTLA4a5nj1dryaXYwsdatgrwp 3aEgMDSRQ6vOC3a/j+IKdhBs7cPLdwlnalp7o5Ibl9T0V2IP6Jluv6hZ7CdvL/F/gjgB DUReYSuwrXtjLLkg2gL5mIk/zF4FrwiZeM+0/jzTIClLXDEG6Ic20e4IOoNeQbxKEvC8 717KfyItopNGpIOUkfeLE+v8RtdqHw+i5fBY84/LHr5TfVN1IuILswIul4TP2h0K/ptA KPOw==
X-Forwarded-Encrypted: i=1; AJvYcCXDmdoaWuxEN3zo0hDbg7l6nnR6RvY8jiVd8D451Asqo26YY2X8MO4XDl5IlDLLUEVXVk/kfYq5dmUEhFo=
X-Gm-Message-State: AOJu0YyUNEIV8sHt/ElLbXn4EScw38f07TSSrVv5rt8xzlFK8aYOyUF4 7Uh1FoaA01xE+SA+sgmFTnLetXaYN+NhS/4MohxdypBQ0NSj4K+cpMvkGCv60JLvfqoa/leS3Ga EGZfFrD++dZOwXHdCBhpmdC6VesZAokbwuxU=
X-Google-Smtp-Source: AGHT+IFX3u93BsF8SGMKGJSpAVASp17oFyUGShG/WxF1fj4xETJ6wnxQne1E+HyHS5GaObKh0EB8336PWKQN2URUQb8=
X-Received: by 2002:a05:6902:2b86:b0:e02:b60c:3d2 with SMTP id 3f1490d57ef6-e08b595bf09mr387655276.50.1721667126518; Mon, 22 Jul 2024 09:52:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAD2nvsT4qWqudiv1C1wZn6rB4_s-9EDENq5TXEbxr_ygcMFjDQ@mail.gmail.com> <CAChr6Sw+gxK3dO29F9bsLTQReJz6LzT2hZb5O7LAXmKzQbKTSw@mail.gmail.com> <CACf5n7_29CNXLf+SmpKKOWkc_3Oi2BZqZ8irU+z=3btJns_1-Q@mail.gmail.com> <CAChr6SxJ3r88a4Aehv_5fsSWb1JApV6Lg4hfwdm0Oh5x04_shQ@mail.gmail.com> <479BA457-9001-4EBC-A84F-9E3EB71E809F@akamai.com> <CACsn0cmhsh-zeJOaa7xy_2crxgvhAF=nK9FqWxxf1dB2SMhMyQ@mail.gmail.com> <Zpu0reBpH3dtFYdf@LK-Perkele-VII2.locald> <CADQzZqtsj272Gt771Ef=VhS2+WvWKkct0Jx1=wmyS7kTu0ds1w@mail.gmail.com> <CAF8qwaB3VuWSYTi-gH99+N_cgi1ZAdMpzhrSE4=KTD5xbQMwXA@mail.gmail.com> <CADQzZqtyCQwQR2WPrBdqGGUm_tvZ7Akra5z9vqJ30x9vWBtxew@mail.gmail.com>
In-Reply-To: <CADQzZqtyCQwQR2WPrBdqGGUm_tvZ7Akra5z9vqJ30x9vWBtxew@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 22 Jul 2024 09:51:47 -0700
Message-ID: <CAF8qwaDt-vhUb-E48874QLKe-YOc3xzC4VsArzYf_BGREz0+QQ@mail.gmail.com>
To: Mike Shaver <mike.shaver@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000007fde43061dd8dd68"
Message-ID-Hash: QCHHRSY7NJLA4WSCPPAZVCYXKF335O6R
X-Message-ID-Hash: QCHHRSY7NJLA4WSCPPAZVCYXKF335O6R
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tzQ3SbEHQg_XMhwpm0EXngYkp4Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Jul 22, 2024 at 8:58 AM Mike Shaver <mike.shaver@gmail.com> wrote:

> On Sat, Jul 20, 2024 at 2:23 PM David Benjamin <davidben@chromium.org>
> wrote:
>
>> On Sat, Jul 20, 2024, 06:13 Mike Shaver <mike.shaver@gmail.com> wrote:
>>
>>>  In what way are these non-web systems not allowed to use other PKI
>>> models today? How would trust anchors provide that permission?
>>>
>>
>> If the same server serves both embedded/IoT traffic and web browser
>> traffic, but we aim for the two to use different PKIs, the server needs to
>> arrange to serve different certificates to each. To do that, we need trust
>> anchor negotiation story.
>>
>
> If there is no extra-TLS means of distinguishing those cases, such as port
> or IP addresses for endpoints, then today such a system can use SNI, which
> is basically a very simple trust selection story. It is less flexible, but
> for selecting between disjoint PKIs in which to orient a given connection,
> it seems that it would suffice.
>
> PayPal and Netflix semi-famously rolled out SNI at moderate pain to
> accommodate a pretty similar situation when browsers and their IOT/etc
> devices no longer had trusted roots in common. I am not against TAs as a
> more flexible way to negotiate the PKI properties that the participants
> want to use for their connection, but I think it's counterproductive to the
> health of the web PKI to spread the idea that TA is *required* for systems
> to migrate to non-web PKI, even if they indeed need to keep using the same
> endpoints for some reason. Having those systems that are inappropriately
> using web PKI today justify further such misuse by saying that they are
> waiting for all their systems to support TA would be pretty unfortunate. I
> think that practically the process of managing and deploying new roots and
> certificates for a private PKI will make "change the hostname or port used"
> a small additional matter.
>
> To be clear, I think that TA will make it easier to resolve such misuses,
> and that this is a virtue of the proposal. I just really don't like the
> idea that it's not possible today.
>

Ah yes, I was speaking in the context of a single.service (i.e. one DNS
name), but you're absolutely right that one can sometimes send different
clients to different services instead.

I say sometimes because this is not always viable. It's a more indirect way
of addressing the root issue, so there are some limitations. First, this
requires foresight on the part of the service operator and client vendor.
If everyone knew ahead of time that the client might diverge (e.g. by way
of standing still while the ecosystem moves), then one might set this up.
But this is a perennial problem *because* people empirically do not know
ahead of time. Or perhaps the vendor even intended to continue servicing
their IoT devices, went out of business, but enough folks bought them and
continue to happily use them that some other service provider does not wish
to abandon them.

We can try to help this by encouraging such foresight as best practice, but
it takes just one important client of one important server to gum up the
works. Trust anchor negotiation, if successful, provides a solution that
doesn't require as much deployment-level foresight. (If the IoT device can
negotiate trust anchors, it's easy. If it can't, the clients that *do*
negotiate
trust anchors can still evolve freely and do not add to the PKI
intersection problem.)

Second, it assumes that the non-web PKI client does not care about the DNS
name used. When DNS names are purely internal routing labels for API
endpoints, etc., the exact DNS name used is not particularly significant.
But when they are user-visible, e.g. in the UI of a web browser,
redirecting to client-specific services isn't viable. In those situations,
we similarly would need a different solution.

We discuss this a bit in
https://github.com/davidben/tls-trust-expressions/blob/main/explainer.md#client-specific-dns-names
as well.

But, absolutely, if some other solution is easier for some deployment at
the moment, by all means go for it.

David

v2.37.1 | Report a Bug | By Email | System Status