Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 25 June 2022 20:43 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1371BC14CF06 for <uta@ietfa.amsl.com>; Sat, 25 Jun 2022 13:43:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYRTRD_0OjKW for <uta@ietfa.amsl.com>; Sat, 25 Jun 2022 13:43:33 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4320AC14F73B for <uta@ietf.org>; Sat, 25 Jun 2022 13:43:32 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 9D7A4FF2D5; Sat, 25 Jun 2022 16:43:31 -0400 (EDT)
Date: Sat, 25 Jun 2022 16:43:31 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <Yrdzc0bkQGMRXVGM@straasha.imrryr.org>
Reply-To: uta@ietf.org
References: <002e01d87e9c$78a002e0$69e008a0$@smyslov.net> <032e01d8878f$c2e8f630$48bae290$@smyslov.net> <A7E6035E-7BCF-4BB3-BB87-D261ED98532D@gmail.com> <YrdXuGgMKMM+gKJn@straasha.imrryr.org> <DF17FC56-87DB-4002-B84F-A81B3AE99F83@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DF17FC56-87DB-4002-B84F-A81B3AE99F83@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/DBgirG9swqCxFTGNcaYSijbFltQ>
Subject: Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2022 20:43:34 -0000
On Sat, Jun 25, 2022 at 10:13:28PM +0300, Yaron Sheffer wrote:
> My question was about identity validation, which is what 6125bis is
> about. So it's a subset of your second option, "validation of
> certificates". And yes, this boils to, are DANE-based EE certificates
> expected to adhere to the draft's requirements.
Yes, when the DANE TLSA certificate usages are:
* PKIX-TA(0) (trust-anchor constraint)
* PKIX-EE(1) (pkix with EE pinning)
* DANE-TA(2) (trust-anchor assertion)
But when the certificate usage is DANE-EE(3), then for some
application protocols (notably not HTTP) it is admissible to
ignore names and expiration in the certificate, because these
are more than adequately handled at the DNS layer.
> And the reason I raised this question is that the draft defines its
> own scope with these words:
>
> This document applies only to service identities that meet these
> three characteristics: associated with fully-qualified domain
> names (FQDNs), used with TLS and DTLS, and are PKIX-based.
Even DANE-TA(2) is "PKIX based" for validating all the certificates
below the trust-anchor. All that changes is the source of the trust
anchor from local to remote via DNS. Whether DANE-EE(3) also needs
to adhere PKIX-rules depends on whether UKS (Unknown Key Share) attacks
are a concern for the application in question or not.
> I wasn't sure whether "PKIX-based" should be interpreted to include
> DANE certificates.
It does for the majority of the certificate usages, but in practice
today DANE is primarily used with SMTP, and predominantly with
DANE-EE(3) TLSA records, in which case identity questions are settleda
at the DNS layer, and the presented identifiers in the certificate are
irrelevant.
If some point DANE is implemented at a large cloud provider for which EE
bindings are operationally unattractive, and that provider elects
DANE-TA(2) instead, then even in SMTP there may (at least by message
volume, if not domain counts) come a time when PKIX-style identity
rules dominate. This is already the case with MTA-STS of course.
--
Viktor.
- [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Viktor Dukhovni
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Yaron Sheffer
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Alexey Melnikov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Martin Thomson
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Valery Smyslov
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Salz, Rich
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 tom petch
- Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06 Peter Saint-Andre