IETF Logo Mail Archive

Re: [websec] DNS publication of HSTS and PKP header data using CAA

"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Thu, 09 April 2015 01:52 UTC

Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D1661ACDE8 for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 18:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXlB-bxKxRSV for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 18:52:06 -0700 (PDT)
Received: from homiemail-a97.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6D61ACDE6 for <websec@ietf.org>; Wed, 8 Apr 2015 18:52:06 -0700 (PDT)
Received: from homiemail-a97.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTP id 64B6C286058; Wed, 8 Apr 2015 18:52:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=YEYwHI/Zgq13VCvQQNm2++LBLaE=; b=rSORxBCGosknDfu7d m6slgNhQwgohf6DRvJI7pmmRTHgFecfSms+mKgCM4pz6tiYP5ogx3raZukpKi9cs CcQKfN3c2cWGYJc6Eo+Pq9i37WpqyjwX5hW03jtW841wdM6AKGRgbFh8/Y/NAIxN vokWM477Ip6tcly21UbM3K+1sg=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTPA id 35494286074; Wed, 8 Apr 2015 18:52:06 -0700 (PDT)
Received: from 216.239.45.71 (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 8 Apr 2015 18:52:04 -0700
Message-ID: <3c6e1d6242b4bbc31d5020cf24770cb4.squirrel@webmail.dreamhost.com>
In-Reply-To: <CAMm+LwjQE-t=DQRWc95gXYuo-1oKotbKuHzadc5Od+WG+M9_nw@mail.gmail.com>
References: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com> <8b60de39fde39644fcc43150c41ba978.squirrel@webmail.dreamhost.com> <CAMm+Lwhz1bmE61sinm-faHN7L6NdPA9nH=H4fCdkMtZGPR7m5A@mail.gmail.com> <3debce5114a44d5027f437c4c481addb.squirrel@webmail.dreamhost.com> <CAMm+LwjQE-t=DQRWc95gXYuo-1oKotbKuHzadc5Od+WG+M9_nw@mail.gmail.com>
Date: Wed, 8 Apr 2015 18:52:04 -0700
From: "Ryan Sleevi" <ryan-ietfhasmat@sleevi.com>
To: "Phillip Hallam-Baker" <phill@hallambaker.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/jtB9M_dJBxPgmrPMpScgpC__t2g>
X-Mailman-Approved-At: Wed, 08 Apr 2015 19:03:54 -0700
Cc: websec <websec@ietf.org>
Subject: Re: [websec] DNS publication of HSTS and PKP header data using CAA
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 01:52:07 -0000

On Wed, April 8, 2015 6:27 pm, Phillip Hallam-Baker wrote:
>  The security considerations of security policy mechanisms are all
>  about not shooting yourself in the foot.

No, they aren't. They're also about mitigating the worst that an
"attacker" could do.

>  That is why I propose to not consider the record valid for any longer
than its DNS time to live.

And now your TTL and the client caching policy of that TTL becomes part of
your security considerations.

>  I am not delivering a perfectly secure solution but neither is DANE.
>  All I am looking to do is to improve on the status quo with as little
>  extra work as possible.

All I see are negatives here compared with "the status quo".

>
>  If DNSSEC is ever deployed AND it becomes visible to clients then it
>  could be relevant to this spec. But right now DNSSEC is not a viable
>  mechanism for authenticating DNS RRs at the client.

Agreed. And so how are you going to bootstrap security over an insecure
connection, without dealing with all of the threat scenarios explicitly
and implicitly addressed by the documents you're trying to
supplant/augment?

I would encourage you to consider the exercise of "What is the worst that
an attacker could do with this policy", as well as "What's the strongest
level of security I could achieve", and hopefully in both cases you'll see
that the flaws are somewhat fundamental if delivered over an insecure
transport. And if you had a secure transport (which you don't, but we'll
assume the IETF will fix all this in good time), then you *could* use
DANE, and the only issue becomes one of syntax. Which is not an
intrinsicly good argument - and in fact, generally a bad one (syntax can
be hidden by tools, but specs - and bad specs - live forever)

v2.8.7 | Report a Bug | By Email