Re: [exim-dev] Opportunistic DANE TLS mode for SMTP

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Viktor Dukhovni
日付:  
To: exim-dev
題目: Re: [exim-dev] Opportunistic DANE TLS mode for SMTP
On Thu, May 02, 2013 at 05:37:57PM +0000, Viktor Dukhovni wrote:

> A couple of follow-ups to the March discussion:
>
>     - PKIX certificate usages need not apply with MTA to MTA SMTP.
>       Treat 0/1 as 2/3 respectively, but beware, that "0 0 [12]" and "0 1
>       [12]" should by default be "unusable".  The reason is that if the
>       trust anchor is a root CA, with certificate usage 0 the server
>       is not obligated to include it in the chain, since the client
>       is expected to do PKIX validation, and so should have a local
>       copy.  Now with SMTP this is an unreasonable expectation, and
>       so unless an MTA has a "complete set" of CA certs (whatever
>       that means) usage 0 with selector != 0 is toxic, and should
>       be treated unusable.  See section 7.4.2 of RFC 2246.

>


One more thing I forgot to respond to from March, a DANE implementation
cannot be limited to just the "IN TLSA x 0 0" use case. In practice
almost all DANE TLSA RRs will be of the "IN TLSA 3 1 1" variety, but
one needs to also be prepared for "IN TLSA 2 1 0" and "IN TLSA 2 1 1".

Even with "0 0 0" and "2 0 0", the certificate in the TLSA RR may
be an intermediate certificate and not a root! Though in practice
almost nobody will publish such RRs since full certificates are
too bulky to store in DNS.

Yes, this means that implementating a DANE verifier is more complex
than just adding another root via a CAfile and asking the SSL
library to do PKI as usual.

One needs to support digest matches, and these may match at any
depth in the certificate chain. One even needs to support "2 1 0"
and "0 1 0", by checking whether the top of the server chain is
signed by a given public key (without the corresponding certificate
in hand).

-- 
    Viktor.