Re: [Uta] STS policy removal

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 25 April 2017 15:09 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2E4131BFF for <uta@ietfa.amsl.com>; Tue, 25 Apr 2017 08:09:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vmjBj3hb1ipX for <uta@ietfa.amsl.com>; Tue, 25 Apr 2017 08:09:39 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EDF7131BC9 for <uta@ietf.org>; Tue, 25 Apr 2017 08:08:33 -0700 (PDT)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 6BB867A32F1 for <uta@ietf.org>; Tue, 25 Apr 2017 15:08:32 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CANtKdUdKmOisdh1j_cFuJ=VCyxJBH-GMWW4DAowC2KZjCFUk1A@mail.gmail.com>
Date: Tue, 25 Apr 2017 11:08:31 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: uta@ietf.org
Message-Id: <F9592600-68CB-484C-922E-3FBB2D8AE9A1@dukhovni.org>
References: <52dde16a-a3bb-5844-7daa-a349def85049@wizmail.org> <80676A32-78CB-4FFA-AEE4-94DA95102B98@dukhovni.org> <a2a6e5f5-ff3b-272b-abda-b49fe23a485d@wizmail.org> <605FE793-3D82-4C4F-9F93-D50DF4320DF5@dukhovni.org> <9402ac0a4990432f994656ddaf94b9e2@COPDCEX19.cable.comcast.com> <CE55E42E-9845-46A6-B0AA-F56CE56F2936@dukhovni.org> <CANtKdUevHbQaUga2=X0tFy4K=po=DL=pKUn-2KZQgRUPTtYAig@mail.gmail.com> <B8600601-9344-427A-B159-B57E982F3BAF@dukhovni.org> <CANtKdUdKmOisdh1j_cFuJ=VCyxJBH-GMWW4DAowC2KZjCFUk1A@mail.gmail.com>
To: uta@ietf.org
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/NvZwVriU7u3fY4pjYUHCU7qX67Y>
Subject: Re: [Uta] STS policy removal
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2017 15:09:42 -0000

> On Apr 23, 2017, at 8:42 AM, Daniel Margolis <dmargolis@google.com> wrote:
> 
>>>>  How does a domain get rid of its STS policy?  I thought we had discussed
>>>>  using "max_age = 0" for this, which after being in place long enough to
>>>>  assure that all previously cached policies have expired can be removed.
>>>>  Or might just "404" suffice
>>> 
>>> Yes, I remember discussing this. But I am not sure such a mechanism is needed.
>> 
>> I rather think it is needed.  When a domain changes hands, or no longer wishes
>> to deal with the hassles of certificate expiration, it must be possible to
>> revoke the policy.
>> 
>>> 1. Domains can publish a "report" policy (with or without a TLSRPT record!)
>>> with a low expiration
>> 
>> What happens when that expires?  It is again found and refreshed unless there's
>> a way to ultimate say "no policy".
> 
> Sure, but as I explained, given any hypothetical "opt-out" mechanism, it is
> theoretically not possible to design one which you do not have to keep publishing
> until $time_you_last_had_a_different_policy + $that_policy's_max_age has passed.

That's not the problem.  The problem is that even after that time expires the
current specification does not appear to provide a means to *ever* stop publishing
a policy.  A "report" policy will get cached and then be subject to another timer,
lather/rinse/repeat.  How does the "report" policy ever transition out of existence,
without looking like a downgrade attack?

Are you suggesting to rely just on eventual flushing of expired cache entries that
fail to refresh?  And in the mean-time clients may burn some cycles keeping reporting
data that is unwanted, and may never be sent.

There ought to be a way to cleanly stop the process without failing retries at the
end of the cycle.  A "max_age = 0" should suffice (published for the previous
max_age + DNS TTL).

-- 
	Viktor.