[Cryptography] Preliminary review of the other Applied Cryptography

Viktor Dukhovni cryptography at dukhovni.org
Fri Apr 11 13:17:36 EDT 2014


On Fri, Apr 11, 2014 at 02:06:58PM +0200, Guido Witmond wrote:

> Now, how do we get browser vendors to do dnssec/dane validation by default?

It is premature to ask them to do that.  The underlying TLS toolkits,
NSS, OpenSSL, GnuTLS, ... don't yet have robust (or any) support
for DANE TLSA validation.  It is unreasonable to expect applications
to do all the heavy lifting.  The first step is adding DANE support
to the toolkits.

It is even a bit early to extend the toolkits, we've still not
agreed on digest algorithm agility for DANE, semantics for DANE-TA(2)
certificate usage edge-cases, ...  RFC 6698 is just a starting
point, it is not the destination.

I've also arrived at the insight that among any particular set of
clients and servers (say general purpose browsers and web servers
on the public Internet) there needs to be agreement about which of
the PKIX-{TA,EE} or DANE-{TA,EE} certificate usages are applicable.

It makes no sense to support all four certificate usages.  If choose
to support all four, you get the intersection of the security
benefits and the union of the interoperability problems.

Thus for SMTP, the DANE TLS draft proposes ONLY DANE-{TA,EE} as
supported usages, with PKIX-{TA,EE} undefined.

A similar choice needs to be made in a follow-on to RFC 6698 that
more explicitly defines how DANE is to be used with HTTP on the
public Internet.  This needs to be driven by the HTTP security
community, to be standardized under the DANE WG charter, but designed
by one or two engineers immersed in HTTP security architecture.

[ HTTPS libraries would need a configurable switch to choose between
PKIX-style TLSA and non-PKIX DANE-only TLSA records.  The switch
would be set by default to match general-purpose browser policy,
whatever that might be.  Here we run into some major philosophical
obstacles.  Is it the job of TLS certificates to ensure that you're
connected to whichever server you asked to connect to, or is it to
protect you from your own folly when you visit the websites of
typo-squatters, phishers, ... The presumed value-add of PKIX EV
validation rests I believe on the premise that users need protection
from themselves as much or more than from MiTM attackers, and that
it is the job of browser TLS to address this problem. ]

Therefore, a small group of browser engineers would need to take
up the task of thinking through how to really use DANE with browsers.

In addition, browsers, much more than MTAs, are used in a variety
of DNSSEC-hostile environments, and the "last mile" problem for
DNSSEC is not yet solved AFAIK, this will take time.

-- 
	Viktor.


More information about the cryptography mailing list