Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add text on MITMs, and misc changes #2

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add text on MITMs, and misc changes #2

wants to merge 4 commits into from

Conversation

nicowilliams
Copy link

No description provided.

vdukhovni
vdukhovni reviewed Dec 12, 2019
View reviewed changes
draft-dukhovni-tls-dnssec-chain.xml
@@ -320,7 +321,7 @@

<t>
The order of returned RRsets is unspecified and a TLS client MUST NOT
assume any ordering of RRsets.
assume any ordering of RRsets other than that RRsigs follow each RRset.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've now seen multiple cases of RRset not immediately followed by its RRSIG from nameservers, so we'll not make this change...

draft-dukhovni-tls-dnssec-chain.xml
<t>
Each zone in the DANE chain validation path for a domainname can
impersonate the server to any client. A mitigation is for clients
to prefer or require TLSA usage 2, binding a WebPKI issuer as the
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/prefer or//, and that would be usages PKIX-TA(0) and PKIX-EE(1).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The impersonation happens in DNS, not in the TLSA chain only. If the server generates the chain from public data, it is the public DNS data that is "wrong", but one might of course argue that the parents are always "right". If you have a rogue parent, no TLSA usage won't help you and adding trust into webpki parties just dilutes the trust and increases the attack surface by all the CAs - something we are explicitly trying to move away from with a DNSSEC based PKI. So I am opposed to introducing that now here.

draft-dukhovni-tls-dnssec-chain.xml
is for clients that can to separately lookup the DANE chain up to
the last zone delegation identified in the TLS DNSSEC chain
extension, and verify that they match.
</t>
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand the text:

      A less practical / less likely mitigation
      is for clients that can to separately lookup the DANE chain up to
      the last zone delegation identified in the TLS DNSSEC chain
      extension, and verify that they match.

draft-dukhovni-tls-dnssec-chain.xml
DNSSEC need only log changes in signed delegations (both, changes
to unsigned, as well as DS RRset changes), which are much less
frequent than WebPKI end-entity certificate issuance or TLSA RRset
signing.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to hear Paul's thoughts on this...

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are thoughts about CT-DNSSEC, but I don't think this doument should or need to reference it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@letoams letoams letoams left review comments

@vdukhovni vdukhovni vdukhovni left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nicowilliams @vdukhovni @letoams