Re: [TLS] some thoughts on dnssec-chain-extension, pinning, and broader semantics

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 05 November 2018 18:44 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4613D127133 for <tls@ietfa.amsl.com>; Mon, 5 Nov 2018 10:44:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3tMUkYfKnJh4 for <tls@ietfa.amsl.com>; Mon, 5 Nov 2018 10:44:23 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 037161294D7 for <tls@ietf.org>; Mon, 5 Nov 2018 10:44:23 -0800 (PST)
Received: from [10.200.18.148] (unknown [38.27.161.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 4ACA66B1A2 for <tls@ietf.org>; Mon, 5 Nov 2018 13:44:21 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <E072FE5C-8262-4FCA-A1DA-7FD0E83FD60A@akamai.com>
Date: Mon, 05 Nov 2018 13:44:18 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: "<tls@ietf.org>" <tls@ietf.org>
Message-Id: <15162C6A-632E-49AB-B87B-24840301F785@dukhovni.org>
References: <20181105130157.GF54966@kduck.kaduk.org> <2714F93F-3658-4E2E-8390-284C6D401447@dukhovni.org> <1450B335-5F7D-43A6-8BC6-181DFE1865C9@akamai.com> <A9A21E08-406C-49BA-AA95-C6109390C5A5@dukhovni.org> <E072FE5C-8262-4FCA-A1DA-7FD0E83FD60A@akamai.com>
To: "<tls@ietf.org>" <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vTjfK4Ze-dZYqGb7AhOXadqedd4>
Subject: Re: [TLS] some thoughts on dnssec-chain-extension, pinning, and broader semantics
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 18:44:25 -0000


> On Nov 5, 2018, at 1:22 PM, Salz, Rich <rsalz@akamai.com> wrote:
> 
> I need to review things some more, but FYI I believe I will say that mixing
> trust models is a bad idea, and opportunistic fallback seems both premature
> optimization and adding in the risk. I would support bringing back -07 semantics.

That's the trouble with "short responses", they are too short to get the key
details across.  This is NOT a simple issue that can adequately be reduced
to a couple of pithy paragraphs.

The -07 document is broken and has lost consensus.  It has a broken unilateral
client-side TOFU pinning downgrade protection mechanism, that nobody wants.
Removing it entirely severely limits the scope of the draft to much less than
was intended and was promised in the introduction.

We're not "mixing" trust models, DANE explicitly supports either augmenting
WebPKI (certificate usage 0/1) with CA or EE certificate assertions, or 
bypassing it with usages 2/3.  SMTP does 2/3 only, I would expect browsers
to look to do 0/1, which has the benefit of getting both DANE and CT, DANE
provides stronger authentication than DV cert issuances, while CT provides
some measure of auditability.

There are many problems with -07 beyond just pinning, various gaps in the
smaller design that really should be addressed.

I could write more, but then folks are liable to stop reading, I don't know
how to get past that, except by becoming an author, and finally issuing
a new version of the draft for review (~25 commits pending on github waiting
for the green light), that folks might have to actually read all the way
through... :-(

-- 
	Viktor.