Gitweb:
http://git.exim.org/exim.git/commitdiff/d8129d876786c938f06dfbe91e51ebe36f09ae43
Commit: d8129d876786c938f06dfbe91e51ebe36f09ae43
Parent: e8e86723959ffd4ab6d6b320538ec0e86f828798
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Aug 17 19:05:37 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Aug 17 19:05:37 2014 +0100
Update DANE draft docs
---
doc/doc-txt/draft-ietf-dane-ops-06 | 1568 ++++++++++++++++++++
...e.txt => draft-ietf-dane-smtp-with-dane-12.txt} | 384 ++---
doc/doc-txt/draft-ietf-dane-smtp-with-dane.txt | 384 ++---
3 files changed, 1840 insertions(+), 496 deletions(-)
diff --git a/doc/doc-txt/draft-ietf-dane-ops-06 b/doc/doc-txt/draft-ietf-dane-ops-06
new file mode 100644
index 0000000..6fc8968
--- /dev/null
+++ b/doc/doc-txt/draft-ietf-dane-ops-06
@@ -0,0 +1,1568 @@
+
+
+
+
+DANE V. Dukhovni
+Internet-Draft Unaffiliated
+Intended status: Standards Track W. Hardaker
+Expires: February 18, 2015 Parsons
+ August 17, 2014
+
+
+ Updates to and Operational Guidance for the DANE Protocol
+ draft-ietf-dane-ops-06
+
+Abstract
+
+ This memo clarifies and updates the DANE TLSA protocol based on
+ implementation experience since the publication of the original DANE
+ specification in [RFC6698]. It also contains guidance for DANE
+ implementers and operators.
+
+Status of This Memo
+
+ This Internet-Draft is submitted in full conformance with the
+ provisions of BCP 78 and BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF). Note that other groups may also distribute
+ working documents as Internet-Drafts. The list of current Internet-
+ Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ This Internet-Draft will expire on February 18, 2015.
+
+Copyright Notice
+
+ Copyright (c) 2014 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 1]
+?
+Internet-Draft DANE operations August 2014
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. DANE TLSA Record Overview . . . . . . . . . . . . . . . . . . 4
+ 2.1. Example TLSA record . . . . . . . . . . . . . . . . . . . 6
+ 3. DANE TLS Requirements . . . . . . . . . . . . . . . . . . . . 6
+ 4. Certificate-Usage-Specific DANE Updates and Guidelines . . . 7
+ 4.1. Certificate Usage DANE-EE(3) . . . . . . . . . . . . . . 7
+ 4.2. Certificate Usage DANE-TA(2) . . . . . . . . . . . . . . 8
+ 4.3. Certificate Usage PKIX-EE(1) . . . . . . . . . . . . . . 11
+ 4.4. Certificate Usage PKIX-TA(0) . . . . . . . . . . . . . . 12
+ 4.5. Opportunistic Security and PKIX usages . . . . . . . . . 12
+ 5. Service Provider and TLSA Publisher Synchronization . . . . . 13
+ 6. TLSA Base Domain and CNAMEs . . . . . . . . . . . . . . . . . 15
+ 7. TLSA Publisher Requirements . . . . . . . . . . . . . . . . . 16
+ 7.1. Key rollover with fixed TLSA Parameters . . . . . . . . . 17
+ 7.2. Switching to DANE-TA from DANE-EE . . . . . . . . . . . . 18
+ 7.3. Switching to New TLSA Parameters . . . . . . . . . . . . 18
+ 7.4. TLSA Publisher Requirements Summary . . . . . . . . . . . 19
+ 8. Digest Algorithm Agility . . . . . . . . . . . . . . . . . . 19
+ 9. General DANE Guidelines . . . . . . . . . . . . . . . . . . . 20
+ 9.1. DANE DNS Record Size Guidelines . . . . . . . . . . . . . 21
+ 9.2. Certificate Name Check Conventions . . . . . . . . . . . 21
+ 9.3. Design Considerations for Protocols Using DANE . . . . . 23
+ 10. Interaction with Certificate Transparency . . . . . . . . . . 23
+ 11. Note on DNSSEC Security . . . . . . . . . . . . . . . . . . . 24
+ 12. Summary of Updates to RFC6698 . . . . . . . . . . . . . . . . 25
+ 13. Security Considerations . . . . . . . . . . . . . . . . . . . 26
+ 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
+ 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26
+ 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 16.1. Normative References . . . . . . . . . . . . . . . . . . 27
+ 16.2. Informative References . . . . . . . . . . . . . . . . . 28
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
+
+1. Introduction
+
+ [RFC6698] specifies a new DNS resource record "TLSA" that associates
+ a public certificate or public key of a trusted leaf or issuing
+ authority with the corresponding TLS transport endpoint. These DANE
+ TLSA records, when validated by DNSSEC, can be used to augment or
+ replace the trust model of the existing public Certification
+ Authority (CA) Public Key Infrastructure (PKI).
+
+ [RFC6698] defines three TLSA record fields with respectively 4, 2 and
+ 3 currently specified values. These yield 24 distinct combinations
+ of TLSA record types. This many options have lead to implementation
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 2]
+?
+Internet-Draft DANE operations August 2014
+
+
+ and operational complexity. This memo will recommend best-practice
+ choices to help simplify implementation and deployment given these
+ plethora of choices.
+
+ Implementation complexity also arises from the fact that the TLS
+ transport endpoint is often specified indirectly via Service Records
+ (SRV), Mail Exchange (MX) records, CNAME records or other mechanisms
+ that map an abstract service domain to a concrete server domain.
+ With service indirection there are multiple potential places for
+ clients to find the relevant TLSA records. Service indirection is
+ often used to implement "virtual hosting", where a single Service
+ Provider transport endpoint simultaneously supports multiple hosted
+ domain names. With services that employ TLS, such hosting
+ arrangements may require the Service Provider to deploy multiple
+ pairs of private keys and certificates with TLS clients signaling the
+ desired domain via the Server Name Indication (SNI) extension
+ ([RFC6066], section 3). This memo provides operational guidelines
+ intended to maximize interoperability between DANE TLS clients and
+ servers.
+
+ In the context of this memo, channel security is assumed to be
+ provided by TLS or DTLS. The Transport Layer Security (TLS)
+ [RFC5246] and Datagram Transport Layer Security (DTLS) [RFC6347]
+ protocols provide secured TCP and UDP communication over IP. By
+ convention, "TLS" will be used throughout this document and, unless
+ otherwise specified, the text applies equally well to the DTLS
+ protocol. Used without authentication, TLS provides protection only
+ against eavesdropping through its use of encryption. With
+ authentication, TLS also provides integrity protection and
+ authentication, which protect the transport against man-in-the-middle
+ (MITM) attacks.
+
+ Other related documents that build on [RFC6698] are
+ [I-D.ietf-dane-srv] and [I-D.ietf-dane-smtp-with-dane]. In
+ Section 12 we summarize the updates this document makes to [RFC6698].
+
+1.1. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ [RFC2119].
+
+ The following terms are used throughout this document:
+
+ Service Provider: A company or organization that offers to host a
+ service on behalf of a Customer Domain. The original domain name
+ associated with the service often remains under the control of the
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 3]
+?
+Internet-Draft DANE operations August 2014
+
+
+ customer. Connecting applications may be directed to the Service
+ Provider via a redirection resource record. Example redirection
+ records include MX, SRV, and CNAME. The Service Provider
+ frequently provides services for many customers and must carefully
+ manage any TLS credentials offered to connecting applications to
+ ensure name matching is handled easily by the applications.
+
+ Customer Domain: As described above, a client may be interacting
+ with a service that is hosted by a third party. We will refer to
+ the domain name used to locate the service prior to any
+ redirection, as the "Customer Domain".
+
+ TLSA Publisher: The entity responsible for publishing a TLSA record
+ within a DNS zone. This zone will be assumed DNSSEC-signed and
+ validatable to a trust anchor, unless otherwise specified. If the
+ Customer Domain is not outsourcing their DNS service, the TLSA
+ Publisher will be the customer themselves. Otherwise, the TLSA
+ Publisher is sometimes the operator of the outsourced DNS service.
+
+ public key: The term "public key" is short-hand for the
+ subjectPublicKeyInfo component of a PKIX [RFC5280] certificate.
+
+ SNI: The "Server Name Indication" (SNI) TLS protocol extension
+ allows a TLS client to request a connection to a particular
+ service name of a TLS server ([RFC6066], section 3). Without this
+ TLS extension, a TLS server has no choice but to offer a PKIX
+ certificate with a default list of server names, making it
+ difficult to host multiple Customer Domains at the same IP-
+ addressed based TLS service endpoint (i.e., "secure virtual
+ hosting").
+
+ TLSA parameters: In [RFC6698] the TLSA record is defined to consist
+ of four fields. The first three of these are numeric parameters
+ that specify the meaning of the data in fourth and final field.
+ To avoid language contortions when we need to distinguish between
+ the first three fields that together define a TLSA record "type"
+ and the fourth that provides a data value of that type, we will
+ call the first three fields "TLSA parameters", or sometimes just
+ "parameters" when obvious from context.
+
+2. DANE TLSA Record Overview
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 4]
+?
+Internet-Draft DANE operations August 2014
+
+
+ DANE TLSA [RFC6698] specifies a protocol for publishing TLS server
+ certificate associations via DNSSEC [RFC4033] [RFC4034] [RFC4035].
+ The DANE TLSA specification defines multiple TLSA RR types via
+ combinations of numeric values of the first three fields of the TLSA
+ record (i.e. the "TLSA parameters"). The numeric values of these
+ parameters were later given symbolic names in [RFC7218]. These
+ parameters are:
+
+ The Certificate Usage field: Section 2.1.1 of [RFC6698] specifies 4
+ values: PKIX-TA(0), PKIX-EE(1), DANE-TA(2), and DANE-EE(3). There
+ is an additional private-use value: PrivCert(255). All other
+ values are reserved for use by future specifications.
+
+ The selector field: Section 2.1.2 of [RFC6698] specifies 2 values:
+ Cert(0), SPKI(1). There is an additional private-use value:
+ PrivSel(255). All other values are reserved for use by future
+ specifications.
+
+ The matching type field: Section 2.1.3 of [RFC6698] specifies 3
+ values: Full(0), SHA2-256(1), SHA2-512(2). There is an additional
+ private-use value: PrivMatch(255). All other values are reserved
+ for use by future specifications.
+
+ We may think of TLSA Certificate Usage values 0 through 3 as a
+ combination of two one-bit flags. The low-bit chooses between trust
+ anchor (TA) and end entity (EE) certificates. The high bit chooses
+ between PKIX, or public PKI issued, and DANE, or domain-issued trust
+ anchors:
+
+ o When the low bit is set (PKIX-EE(1) and DANE-EE(3)) the TLSA
+ record matches an EE certificate (also commonly referred to as a
+ leaf or server certificate.)
+
+ o When the low bit is not set (PKIX-TA(0) and DANE-TA(2)) the TLSA
+ record matches a trust anchor (a Certification Authority) that
+ issued one of the certificates in the server certificate chain.
+
+ o When the high bit is set (DANE-TA(2) and DANE-EE(3)), the server
+ certificate chain is domain-issued and may be verified without
+ reference to any pre-existing public certification authority PKI.
+ Trust is entirely placed on the content of the TLSA records
+ obtained via DNSSEC.
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 5]
+?
+Internet-Draft DANE operations August 2014
+
+
+ o When the high bit is not set (PKIX-TA(0) and PKIX-EE(1)), the TLSA
+ record publishes a server policy stating that its certificate
+ chain must pass PKIX validation [RFC5280] and the DANE TLSA record
+ is used to signal an additional requirement that the PKIX
+ validated server certificate chain also contains the referenced CA
+ or EE certificate.
+
+ The selector field specifies whether the TLSA RR matches the whole
+ certificate (Cert(0)) or just its subjectPublicKeyInfo (SPKI(1)).
+ The subjectPublicKeyInfo is an ASN.1 DER encoding of the
+ certificate's algorithm id, any parameters and the public key data.
+
+ The matching type field specifies how the TLSA RR Certificate
+ Association Data field is to be compared with the certificate or
+ public key. A value of Full(0) means an exact match: the full DER
+ encoding of the certificate or public key is given in the TLSA RR. A
+ value of SHA2-256(1) means that the association data matches the
+ SHA2-256 digest of the certificate or public key, and likewise
+ SHA2-512(2) means a SHA2-512 digest is used. Of the two digest
+ algorithms, for now only SHA2-256(1) is mandatory to implement.
+ Clients SHOULD implement SHA2-512(2), but servers SHOULD NOT
+ exclusively publish SHA2-512(2) digests. The digest algorithm
+ agility protocol defined in Section 8 SHOULD be used by clients to
+ decide how to process TLSA RRsets that employ multiple digest
+ algorithms. Server operators MUST publish TLSA RRsets that are
+ compatible with digest algorithm agility.
+
+2.1. Example TLSA record
+
+ In the example TLSA record below:
+
+ _25._tcp.mail.example.com. IN TLSA PKIX-TA Cert SHA2-256 (
+ E8B54E0B4BAA815B06D3462D65FBC7C0
+ CF556ECCF9F5303EBFBB77D022F834C0 )
+
+ The TLSA Certificate Usage is DANE-TA(2), the selector is Cert(0) and
+ the matching type is SHA2-256(1). The last field is the Certificate
+ Association Data Field, which in this case contains the SHA2-256
+ digest of the server certificate.
+
+3. DANE TLS Requirements
+
+ [RFC6698] does not discuss what versions of TLS are required when
+ using DANE records. This document specifies that TLS clients that
+ support DANE/TLSA MUST support at least TLS 1.0 and SHOULD support
+ TLS 1.2. TLS clients and servers using DANE SHOULD support the
+ "Server Name Indication" (SNI) extension of TLS.
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 6]
+?
+Internet-Draft DANE operations August 2014
+
+
+4. Certificate-Usage-Specific DANE Updates and Guidelines
+
+ The four Certificate Usage values from the TLSA record, DANE-EE(3),
+ DANE-TA(2), PKIX-EE(1) and PKIX-TA(0), are discussed below.
+
+4.1. Certificate Usage DANE-EE(3)
+
+ In this section the meaning of DANE-EE(3) is updated from [RFC6698]
+ to specify that peer identity matching and that validity interval
+ compliance is based solely on the TLSA RRset properties. We also
+ extend [RFC6698] to cover the use of DANE authentication of raw
+ public keys [I-D.ietf-tls-oob-pubkey] via TLSA records with
+ Certificate Usage DANE-EE(3) and selector SPKI(1).
+
+ Authentication via certificate usage DANE-EE(3) TLSA records involves
+ simply checking that the server's leaf certificate matches the TLSA
+ record. In particular, the binding of the server public key to its
+ name is based entirely on the TLSA record association. The server
+ MUST be considered authenticated even if none of the names in the
+ certificate match the client's reference identity for the server.
+
+ Similarly, with DANE-EE(3), the expiration date of the server
+ certificate MUST be ignored. The validity period of the TLSA record
+ key binding is determined by the validity interval of the TLSA record
+ DNSSEC signatures.
+
+ With DANE-EE(3) servers that know all the connecting clients are
+ making use of DANE, they need not employ SNI (i.e., the may ignore
+ the client's SNI message) even when the server is known under
+ multiple domain names that would otherwise require separate
+ certificates. It is instead sufficient for the TLSA RRsets for all
+ the domain names in question to match the server's primary
+ certificate. For application protocols where the server name is
+ obtained indirectly via SRV, MX or similar records, it is simplest to
+ publish a single hostname as the target server name for all the
+ hosted domains.
+
+ In organizations where it is practical to make coordinated changes in
+ DNS TLSA records before server key rotation, it is generally best to
+ publish end-entity DANE-EE(3) certificate associations in preference
+ to other choices of certificate usage. DANE-EE(3) TLSA records
+ support multiple server names without SNI, don't suddenly stop
+ working when leaf or intermediate certificates expire, and don't fail
+ when a server operator neglects to include all the required issuer
+ certificates in the server certificate chain.
+
+ TLSA records published for DANE servers SHOULD, as a best practice,
+ be "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 7]
+?
+Internet-Draft DANE operations August 2014
+
+
+ implementations are required to support SHA2-256, this record type
+ works for all clients and need not change across certificate renewals
+ with the same key. This TLSA record type easily supports hosting
+ arrangements with a single certificate matching all hosted domains.
+ It is also the easiest to implement correctly in the client.
+
+ Another advantage of "DANE-EE(3) SPKI(1)" (with any suitable matching
+ type) TLSA records is that they are compatible with the raw public
+ key TLS extension specified in [I-D.ietf-tls-oob-pubkey]. DANE
+ clients that support this extension can use the TLSA record to
+ authenticate servers that negotiate the use of raw public keys in
+ place of X.509 certificate chains. Provided the server adheres to
+ the requirements of Section 7, the fact that raw public keys are not
+ compatible with any other TLSA record types will not get in the way
+ of successful authentication. Clients that employ DANE to
+ authenticate the peer server SHOULD NOT negotiate the use of raw
+ public keys unless the server's TLSA RRset includes compatible TLSA
+ records.
+
+ While it is, in principle, also possible to authenticate raw public
+ keys via "DANE-EE(3) Cert(0) Full(0)" records by extracting the
+ public key from the certificate in DNS, this is in conflict with the
+ indicated selector and requires extra logic on clients that not all
+ implementations are expected to provide. Servers SHOULD NOT rely on
+ "DANE-EE(3) Cert(0) Full(0)" TLSA records to publish authentication
+ data for raw public keys.
+
+4.2. Certificate Usage DANE-TA(2)
+
+ This section updates [RFC6698] by specifying a new operational
+ requirement for servers publishing TLSA records with a usage of DANE-
+ TA(2): such servers MUST include the trust-anchor certificate in
+ their TLS server certificate message.
+
+ Some domains may prefer to avoid the operational complexity of
+ publishing unique TLSA RRs for each TLS service. If the domain
+ employs a common issuing Certification Authority to create
+ certificates for multiple TLS services, it may be simpler to publish
+ the issuing authority as a trust anchor (TA) for the certificate
+ chains of all relevant services. The TLSA query domain (TLSA base
+ domain with port and protocol prefix labels) for each service issued
+ by the same TA may then be set to a CNAME alias that points to a
+ common TLSA RRset that matches the TA. For example:
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 8]
+?
+Internet-Draft DANE operations August 2014
+
+
+ www1.example.com. IN A 192.0.2.1
+ www2.example.com. IN A 192.0.2.2
+ _443._tcp.www1.example.com. IN CNAME tlsa201._dane.example.com.
+ _443._tcp.www2.example.com. IN CNAME tlsa201._dane.example.com.
+ tlsa201._dane.example.com. IN TLSA 2 0 1 e3b0c44298fc1c14...
+
+ With usage DANE-TA(2) the server certificates will need to have names
+ that match one of the client's reference identifiers (see [RFC6125]).
+ The server SHOULD employ SNI to select the appropriate certificate to
+ present to the client.
+
+4.2.1. Recommended record combinations
+
+ TLSA records with selector Full(0) are NOT RECOMMENDED. While these
+ potentially obviate the need to transmit the TA certificate in the
+ TLS server certificate message, client implementations may not be
+ able to augment the server certificate chain with the data obtained
+ from DNS, especially when the TLSA record supplies a bare key
+ (selector SPKI(1)). Since the server will need to transmit the TA
+ certificate in any case, server operators SHOULD publish TLSA records
+ with a selector other than Full(0) and avoid potential DNS
+ interoperability issues with large TLSA records containing full
+ certificates or keys (see Section 9.1.1).
+
+ TLSA Publishers employing DANE-TA(2) records SHOULD publish records
+ with a selector of Cert(0). Such TLSA records are associated with
+ the whole trust anchor certificate, not just with the trust anchor
+ public key. In particular, the client SHOULD then apply any relevant
+ constraints from the trust anchor certificate, such as, for example,
+ path length constraints.
+
+ While a selector of SPKI(1) may also be employed, the resulting TLSA
+ record will not specify the full trust anchor certificate content,
+ and elements of the trust anchor certificate other than the public
+ key become mutable. This may, for example, enable a subsidiary CA to
+ issue a chain that violates the trust anchor's path length or name
+ constraints.
+
+4.2.2. Trust anchor digests and server certificate chain
+
+ With DANE-TA(2) (these TLSA records are expected to match the digest
+ of a TA certificate or public key), a complication arises when the TA
+ certificate is omitted from the server's certificate chain, perhaps
+ on the basis of Section 7.4.2 of [RFC5246]:
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 9]
+?
+Internet-Draft DANE operations August 2014
+
+
+ The sender's certificate MUST come first in the list. Each
+ following certificate MUST directly certify the one preceding
+ it. Because certificate validation requires that root keys be
+ distributed independently, the self-signed certificate that
+ specifies the root certification authority MAY be omitted from
+ the chain, under the assumption that the remote end must
+ already possess it in order to validate it in any case.
+
+ With TLSA Certificate Usage DANE-TA(2), there is no expectation that
+ the client is pre-configured with the trust anchor certificate. In
+ fact, client implementations are free to ignore all locally
+ configured trust anchors when processing usage DANE-TA(2) TLSA
+ records and may rely exclusively on the certificates provided in the
+ server's certificate chain. But, with a digest in the TLSA record,
+ the TLSA record contains neither the full trust anchor certificate
+ nor the full public key. If the TLS server's certificate chain does
+ not contain the trust anchor certificate, DANE clients will be unable
+ to authenticate the server.
+
+ TLSA Publishers that publish TLSA Certificate Usage DANE-TA(2)
+ associations with a selector of SPKI(1) or using a digest-based
+ matching type (not Full(0)) MUST ensure that the corresponding server
+ is configured to also include the trust anchor certificate in its TLS
+ handshake certificate chain, even if that certificate is a self-
+ signed root CA and would have been optional in the context of the
+ existing public CA PKI.
+
+4.2.3. Trust anchor public keys
+
+ TLSA records with TLSA Certificate Usage DANE-TA(2), selector SPKI(1)
+ and a matching type of Full(0) will publish the full public key of a
+ trust anchor via DNS. In section 6.1.1 of [RFC5280] the definition
+ of a trust anchor consists of the following four parts:
+
+ 1. the trusted issuer name,
+
+ 2. the trusted public key algorithm,
+
+ 3. the trusted public key, and
+
+ 4. optionally, the trusted public key parameters associated with the
+ public key.
+
+ Items 2-4 are precisely the contents of the subjectPublicKeyInfo
+ published in the TLSA record. The issuer name is not included in the
+ subjectPublicKeyInfo.
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 10]
+?
+Internet-Draft DANE operations August 2014
+
+
+ With TLSA Certificate Usage DANE-TA(2), the client may not have the
+ associated trust anchor certificate, and cannot generally verify
+ whether a particular certificate chain is "issued by" the trust
+ anchor described in the TLSA record.
+
+ When the server certificate chain includes a CA certificate whose
+ public key matches the TLSA record, the client can match that CA as
+ the intended issuer. Otherwise, the client can only check that the
+ topmost certificate in the server's chain is "signed by" the trust
+ anchor's public key in the TLSA record. Such a check may be
+ difficult to implement, and cannot be expected to be supported by all
+ clients.
+
+ Thus, servers should not rely on "DANE-TA(2) SPKI(1) Full(0)" TLSA
+ records to be sufficient to authenticate chains issued by the
+ associated public key in the absence of a corresponding certificate
+ in the server's TLS certificate message. Servers SHOULD include the
+ TA certificate in their certificate chain.
+
+ If none of the server's certificate chain elements match a public key
+ specified in a TLSA record, and at least one "DANE-TA(2) SPKI(1)
+ Full(0)" TLSA record is available, clients are encouraged to check
+ whether the topmost certificate in the chain is signed by the
+ provided public key and has not expired, and in that case consider
+ the server authenticated, provided the rest of the chain passes
+ validation including leaf certificate name checks.
+
+4.3. Certificate Usage PKIX-EE(1)
+
+ This Certificate Usage is similar to DANE-EE(3), but in addition PKIX
+ verification is required. Therefore, name checks, certificate
+ expiration, etc., apply as they would without DANE. When, for a
+ given application protocol, DANE clients support both DANE-EE(3) and
+ PKIX-EE(1) usages, it should be noted that an attacker who can
+ compromise DNSSEC can replace these with usage DANE-EE(3) or DANE-
+ TA(2) TLSA records of their choosing, and thus bypass any PKIX
+ verification requirements.
+
+ Therefore, except when applications support only the PKIX Certificate
+ Usages (0 and 1), this Certificate Usage offers only illusory
+ incremental security over usage DANE-EE(3). It provides lower
+ operational reliability than DANE-EE(3) since some clients may not be
+ configured with the required root CA, the server's chain may be
+ incomplete or name checks may fail. PKIX-EE(1) also requires more
+ complex coordination between the Customer Domain and the Service
+ Provider in hosting arrangements. This certificate usage is NOT
+ RECOMMENDED.
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 11]
+?
+Internet-Draft DANE operations August 2014
+
+
+4.4. Certificate Usage PKIX-TA(0)
+
+ This section updates [RFC6698] by specifying new client
+ implementation requirements. Clients that trust intermediate
+ certificates MUST be prepared to construct longer PKIX chains than
+ would be required for PKIX alone.
+
+ TLSA Certificate Usage PKIX-TA(0) allows a domain to publish
+ constraints on the set of PKIX certification authorities trusted to
+ issue certificates for its TLS servers. This TLSA record matches
+ PKIX-verified trust chains which contain an issuer certificate (root
+ or intermediate) that matches its association data field (typically a
+ certificate or digest).
+
+ As with PKIX-EE(1) case, an attacker who can compromise DNSSEC can
+ replace these with usage DANE-EE(3) or DANE-TA(2) TLSA records of his
+ choosing and thus bypass the PKIX verification requirements.
+ Therefore, except when applications support only the PKIX Certificate
+ Usages (0 and 1), this Certificate Usage offers only illusory
+ incremental security over usage DANE-TA(2). It provides lower
+ operational reliability than DANE-TA(2) since some clients may not be
+ configured with the required root CA. PKIX-TA(0) also requires more
+ complex coordination between the Customer Domain and the Service
+ Provider in hosting arrangements. This certificate usage is NOT
+ RECOMMENDED.
+
+ TLSA Publishers who publish TLSA records for a particular public root
+ CA, will expect that clients will then only accept chains anchored at
+ that root. It is possible, however, that the client's trusted
+ certificate store includes some intermediate CAs, either with or
+ without the corresponding root CA. When a client constructs a trust
+ chain leading from a trusted intermediate CA to the server leaf
+ certificate, such a "truncated" chain might not contain the trusted
+ root published in the server's TLSA record.
+
+ If the omitted root is also trusted, the client may erroneously
+ reject the server chain if it fails to determine that the shorter
+ chain it constructed extends to a longer trusted chain that matches
+ the TLSA record. Thus, when matching a usage PKIX-TA(0) TLSA record,
+ a client SHOULD NOT always stop extending the chain when the first
+ locally trusted certificate is found. If no TLSA records have
+ matched any of the elements of the chain, and the trusted certificate
+ found is not self-issued, the client MUST attempt to build a longer
+ chain in the hope that a certificate closer to the root may in fact
+ match the server's TLSA record.
+
+4.5. Opportunistic Security and PKIX usages
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 12]
+?
+Internet-Draft DANE operations August 2014
+
+
+ When the client's protocol design is based on Opportunistic Security
+ (OS, [I-D.dukhovni-opportunistic-security]), and authentication is
+ opportunistically employed based on the presence of server TLSA
+ records, it is especially important to avoid the PKIX-EE(1) and PKIX-
+ TA(0) certificate usages. This is because the client has no way to
+ know in advance that it and the server both trust the requisite root
+ CA. Use of authentication in OS needs to be employed only when the
+ client can be confident of success, absent an attack, or an
+ operational error on the server side.
+
+5. Service Provider and TLSA Publisher Synchronization
+
+ Complications arise when the TLSA Publisher is not the same entity as
+ the Service Provider. In this situation, the TLSA Publisher and the
+ Service Provider must cooperate to ensure that TLSA records published
+ by the TLSA Publisher don't fall out of sync with the server
+ certificate used by the Service Provider.
+
+ Whenever possible, the TLSA Publisher and the Service Provider should
+ be the same entity. Otherwise, changes in the service certificate
+ chain must be carefully coordinated between the parties involved.
+ Such coordination is difficult and service outages will result when
+ coordination fails.
+
+ Having the master TLSA record in the Service Provider's zone avoids
+ the complexity of bilateral coordination of server certificate
+ configuration and TLSA record management. Even when the TLSA RRset
+ must be published in the Customer Domain's DNS zone (perhaps the
+ client application does not "chase" CNAMEs to the TLSA base domain),
+ it is possible to employ CNAME records to delegate the content of the
+ TLSA RRset to a domain operated by the Service Provider. Certificate
+ name checks generally constrain the applicability of TLSA CNAMEs
+ across organizational boundaries to Certificate Usages DANE-EE(3) and
+ DANE-TA(2):
+
+ Certificate Usage DANE-EE(3): In this case the Service Provider can
+ publish a single TLSA RRset that matches the server certificate or
+ public key digest. The same RRset works for all Customer Domains
+ because name checks do not apply with DANE-EE(3) TLSA records (see
+ Section 4.1). A Customer Domain can create a CNAME record
+ pointing to the TLSA RRset published by the Service Provider.
+
+ Certificate Usage DANE-TA(2): When the Service Provider operates a
+ private certification authority, the Service Provider is free to
+ issue a certificate bearing any customer's domain name. Without
+ DANE, such a certificate would not pass trust verification, but
+ with DANE, the customer's TLSA RRset that is aliased to the
+ provider's TLSA RRset can delegate authority to the provider's CA
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 13]
+?
+Internet-Draft DANE operations August 2014
+
+
+ for the corresponding service. The Service Provider can generate
+ appropriate certificates for each customer and use the SNI
+ information provided by clients to select the right certificate
+ chain to present to each client.
+
+ Below are example DNS records (assumed "secure" and shown without the
+ associated DNSSEC information, such as record signatures) that
+ illustrate both of of the above models in the case of an HTTPS
+ service whose clients all support DANE TLS. These examples work even
+ with clients that don't "chase" CNAMEs when constructing the TLSA
+ base domain (see Section 6 below).
+
+ ; The hosted web service is redirected via a CNAME alias.
+ ; The associated TLSA RRset is also redirected via a CNAME alias.
+ ;
+ ; A single certificate at the provider works for all Customer
+ ; Domains due to the use of the DANE-EE(3) Certificate Usage.
+ ;
+ www1.example.com. IN CNAME w1.example.net.
+ _443._tcp.www1.example.com. IN CNAME _443._tcp.w1.example.net.
+ _443._tcp.w1.example.net. IN TLSA DANE-EE SPKI SHA2-256 (
+ 8A9A70596E869BED72C69D97A8895DFA
+ D86F300A343FECEFF19E89C27C896BC9 )
+
+ ;
+ ; A CA at the provider can also issue certificates for each Customer
+ ; Domain, and use the DANE-TA(2) Certificate Usage type to
+ ; indicate a trust anchor.
+ ;
+ www2.example.com. IN CNAME w2.example.net.
+ _443._tcp.www2.example.com. IN CNAME _443._tcp.w2.example.net.
+ _443._tcp.w2.example.net. IN TLSA DANE-TA Cert SHA2-256 (
+ C164B2C3F36D068D42A6138E446152F5
+ 68615F28C69BD96A73E354CAC88ED00C )
+
+ With protocols that support explicit transport redirection via DNS MX
+ records, SRV records, or other similar records, the TLSA base domain
+ is based on the redirected transport end-point, rather than the
+ origin domain. With SMTP, for example, when an email service is
+ hosted by a Service Provider, the Customer Domain's MX hostnames will
+ point at the Service Provider's SMTP hosts. When the Customer
+ Domain's DNS zone is signed, the MX hostnames can be securely used as
+ the base domains for TLSA records that are published and managed by
+ the Service Provider. For example (without the required DNSSEC
+ information, such as record signatures):
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 14]
+?
+Internet-Draft DANE operations August 2014
+
+
+ ; Hosted SMTP service
+ ;
+ example.com. IN MX 0 mx1.example.net.
+ example.com. IN MX 0 mx2.example.net.
+ _25._tcp.mx1.example.net. IN TLSA DANE-EE SPKI SHA2-256 (
+ 8A9A70596E869BED72C69D97A8895DFA
+ D86F300A343FECEFF19E89C27C896BC9 )
+ _25._tcp.mx2.example.net. IN TLSA DANE-EE SPKI SHA2-256 (
+ C164B2C3F36D068D42A6138E446152F5
+ 68615F28C69BD96A73E354CAC88ED00C )
+
+ If redirection to the Service Provider's domain (via MX or SRV
+ records or any similar mechanism) is not possible, and aliasing of
+ the TLSA record is not an option, then more complex coordination
+ between the Customer Domain and Service Provider will be required.
+ Either the Customer Domain periodically provides private keys and a
+ corresponding certificate chain to the Provider (after making
+ appropriate changes in its TLSA records), or the Service Provider
+ periodically generates the keys and certificates and must wait for
+ matching TLSA records to be published by its Customer Domains before
+ deploying newly generated keys and certificate chains. In Section 6
+ below, we describe an approach that employs CNAME "chasing" to avoid
+ the difficulties of coordinating key management across organization
+ boundaries.
+
+ For further information about combining DANE and SRV, please see
+ [I-D.ietf-dane-srv].
+
+6. TLSA Base Domain and CNAMEs
+
+ When the application protocol does not support service location
+ indirection via MX, SRV or similar DNS records, the service may be
+ redirected via a CNAME. A CNAME is a more blunt instrument for this
+ purpose, since unlike an MX or SRV record, it remaps the entire
+ origin domain to the target domain for all protocols.
+
+ The complexity of coordinating key management is largely eliminated
+ when DANE TLSA records are found in the Service Provider's domain, as
+ discussed in Section 5. Therefore, DANE TLS clients connecting to a
+ server whose domain name is a CNAME alias SHOULD follow the CNAME
+ hop-by-hop to its ultimate target host (noting at each step whether
+ the CNAME is DNSSEC-validated). If at each stage of CNAME expansion
+ the DNSSEC validation status is "secure", the final target name
+ SHOULD be the preferred base domain for TLSA lookups.
+
+ Implementations failing to find a TLSA record using a base name of
+ the final target of a CNAME expansion SHOULD issue a TLSA query using
+ the original destination name. That is, the preferred TLSA base
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 15]
+?
+Internet-Draft DANE operations August 2014
+
+
+ domain should be derived from the fully expanded name, and failing
+ that should be the initial domain name.
+
+ When the TLSA base domain is the result of "secure" CNAME expansion,
+ the resulting domain name MUST be used as the HostName in SNI, and
+ MUST be the primary reference identifier for peer certificate
+ matching with certificate usages other than DANE-EE(3).
+
+ Protocol-specific TLSA specifications may provide additional guidance
+ or restrictions when following CNAME expansions.
+
+ Though CNAMEs are illegal on the right hand side of most indirection
+ records, such as MX and SRV records, they are supported by some
+ implementations. For example, if the MX or SRV host is a CNAME
+ alias, some implementations may "chase" the CNAME. If they do, they
+ SHOULD use the target hostname as the preferred TLSA base domain as
+ described above (and if the TLSA records are found there, use the
+ CNAME expanded domain also in SNI and certificate name checks).
+
+7. TLSA Publisher Requirements
+
+ This section updates [RFC6698] by specifying a requirement on the
+ TLSA Publisher to ensure that each combination of Certificate Usage,
+ selector and matching type in the server's TLSA RRset MUST include at
+ least one record that matches the server's current certificate chain.
+ TLSA records that match recently retired or yet to be deployed
+ certificate chains will be present during key rollover. Such past or
+ future records must never be the only records published for any given
+ combination of usage, selector and matching type. We describe a TLSA
+ record update algorithm that ensures this requirement is met.
+
+ While a server is to be considered authenticated when its certificate
+ chain is matched by any of the published TLSA records, not all
+ clients support all combinations of TLSA record parameters. Some
+ clients may not support some digest algorithms, others may either not
+ support, or may exclusively support, the PKIX Certificate Usages.
+ Some clients may prefer to negotiate [I-D.ietf-tls-oob-pubkey] raw
+ public keys, which are only compatible with TLSA records whose
+ Certificate Usage is DANE-EE(3) with selector SPKI(1).
+
+
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 16]
+?
+Internet-Draft DANE operations August 2014
+
+
+ A consequence of the above uncertainty as to which TLSA parameters
+ are supported by any given client is that servers need to ensure that
+ each and every parameter combination that appears in the TLSA RRset
+ is, on its own, sufficient to match the server's current certificate
+ chain. In particular, when deploying new keys or new parameter
+ combinations some care is required to not generate parameter
+ combinations that only match past or future certificate chains (or
+ raw public keys). The rest of this section explains how to update
+ the TLSA RRset in a manner that ensures the above requirement is met.
+
+7.1. Key rollover with fixed TLSA Parameters
+
+ The simplest case is key rollover while retaining the same set of
+ published parameter combinations. In this case, TLSA records
+ matching the existing server certificate chain (or raw public keys)
+ are first augmented with corresponding records matching the future
+ keys, at least two TTLs or longer before the the new chain is
+ deployed. This allows the obsolete RRset to age out of client caches
+ before the new chain is used in TLS handshakes. Once sufficient time
+ has elapsed and all clients performing DNS lookups are retrieving the
+ updated TLSA records, the server administrator may deploy the new
+ certificate chain, verify that it works, and then remove any obsolete
+ records matching the no longer active chain:
+
+ ; The initial TLSA RRset
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+
+ ; The transitional TLSA RRset published at least 2*TTL seconds
+ ; before the actual key change
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+
+ ; The final TLSA RRset after the key change
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+
+ The next case to consider is adding or switching to a new combination
+ of TLSA parameters. In this case publish the new parameter
+ combinations for the server's existing certificate chain first, and
+ only then deploy new keys if desired:
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 17]
+?
+Internet-Draft DANE operations August 2014
+
+
+ ; Initial TLSA RRset
+ ;
+ _443._tcp.www.example.org. IN TLSA 1 1 1 01d09d19c2139a46...
+
+ ; New TLSA RRset, same key re-published as DANE-EE(3)
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+
+7.2. Switching to DANE-TA from DANE-EE
+
+ A more complex involves switching to a trust-anchor or PKIX usage
+ from a chain that is either self-signed, or issued by a private CA
+ and thus not compatible with PKIX. Here the process is to first add
+ TLSA records matching the future chain that is issued by the desired
+ future CA (private or PKIX), but initially with the same parameters
+ as the legacy chain. Then, after deploying the new keys, switch to
+ the new TLSA parameter combination.
+
+ ; The initial TLSA RRset
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+
+ ; A transitional TLSA RRset, published at least 2*TTL before the
+ ; actual key change. The new keys are issued by a DANE-TA(2) CA,
+ ; but for now specified via a DANE-EE(3) association.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+
+ ; The final TLSA RRset after the key change. Now that the old
+ ; self-signed EE keys are not an impediment, specify the issuing
+ ; TA of the new keys.
+ ;
+ _443._tcp.www.example.org. IN TLSA 2 0 1 c57bce38455d9e3d...
+
+7.3. Switching to New TLSA Parameters
+
+ When employing a new digest algorithm in the TLSA RRset, for
+ compatibility with digest agility specified in Section 8 below,
+ administrators should publish the new digest algorithm with each
+ combinations of Certificate Usage and selector for each associated
+ key or chain used with any other digest algorithm. When removing an
+ algorithm, remove it entirely. Each digest algorithm employed should
+ match the same set of chains (or raw public keys).
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 18]
+?
+Internet-Draft DANE operations August 2014
+
+
+ ; The initial TLSA RRset with EE SHA2-256 associations for two keys.
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+
+ ; The new TLSA RRset also with SHA2-512 associations for each key
+ ;
+ _443._tcp.www.example.org. IN TLSA 3 1 1 01d09d19c2139a46...
+ _443._tcp.www.example.org. IN TLSA 3 1 2 d9947c35089310bc...
+ _443._tcp.www.example.org. IN TLSA 3 1 1 7aa7a5359173d05b...
+ _443._tcp.www.example.org. IN TLSA 3 1 2 89a7486a4b6ae714...
+
+7.4. TLSA Publisher Requirements Summary
+
+ In summary, server operators updating TLSA records should make one
+ change at a time. The individual safe changes are:
+
+ o Pre-publish new certificate associations that employ the same TLSA
+ parameters (usage, selector and matching type) as existing TLSA
+ records, but match certificate chains that will be deployed in the
+ near future. Wait for stale TLSA RRsets to expire from DNS caches
+ before configuring servers to use the new certificate chain.
+
+ o Remove TLSA records matching no longer deployed certificate
+ chains.
+
+ o Extend the TLSA RRset with a new combination of parameters (usage,
+ selector and matching type) that is used to generate matching
+ associations for all certificate chains that are published with
+ some other parameter combination.
+
+ The above steps are intended to ensure that at all times and for each
+ combination of usage, selector and matching type at least one TLSA
+ record corresponds to the server's current certificate chain. No
+ combination of Certificate Usage, selector and matching type in a
+ server's TLSA RRset should ever match only some combination of future
+ or past certificate chains. As a result, no matter what combinations
+ of usage, selector and matching type may be supported by a given
+ client, they will be sufficient to authenticate the server.
+
+8. Digest Algorithm Agility
+
+
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 19]
+?
+Internet-Draft DANE operations August 2014
+
+
+ While [RFC6698] specifies multiple digest algorithms, it does not
+ specify a protocol by which the TLS client and TLSA record publisher
+ can agree on the strongest shared algorithm. Such a protocol would
+ allow the client and server to avoid exposure to any deprecated
+ weaker algorithms that are published for compatibility with less
+ capable clients, but should be ignored when possible. We specify
+ such a protocol below.
+
+ Suppose that a DANE TLS client authenticating a TLS server considers
+ digest algorithm "BetterAlg" stronger than digest algorithm
+ "WorseAlg". Suppose further that a server's TLSA RRset contains some
+ records with "BetterAlg" as the digest algorithm. Suppose also that
+ the server adheres to the requirements of Section 7 and ensures that
+ each combination of TLSA parameters contains at least one record that
+ matches the server's current certificate chain (or raw public keys).
+ Under the above assumptions the client can safely ignore TLSA records
+ with the weaker algorithm "WorseAlg", because it suffices to only
+ check the records with the stronger algorithm "BetterAlg".
+
+ To make digest algorithm agility possible, all published TLSA RRsets
+ for use with DANE TLS MUST conform to the requirements of Section 7.
+ With servers publishing compliant TLSA RRsets, TLS clients can, for
+ each combination of usage and selector, ignore all digest records
+ except those that employ their notion of the strongest digest
+ algorithm. (The server should only publish algorithms it deems
+ acceptable at all.) The ordering of digest algorithms by strength is
+ not specified in advance; it is entirely up to the TLS client. TLS
+ client implementations SHOULD make the digest algorithm preference
+ ordering a configurable option.
+
+ Note, TLSA records with a matching type of Full(0) that publish an
+ entire certificate or public key object play no role in digest
+ algorithm agility. They neither trump the processing of records that
+ employ digests, nor are they ignored in the presence of any records
+ with a digest (i.e. non-zero) matching type.
+
+ TLS clients SHOULD use digest algorithm agility when processing the
+ DANE TLSA records of an TLS server. Algorithm agility is to be
+ applied after first discarding any unusable or malformed records
+ (unsupported digest algorithm, or incorrect digest length). Thus,
+ for each usage and selector, the client SHOULD process only any
+ usable records with a matching type of Full(0) and the usable records
+ whose digest algorithm is considered by the client to be the
+ strongest among usable records with the given usage and selector.
+
+9. General DANE Guidelines
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 20]
+?
+Internet-Draft DANE operations August 2014
+
+
+ These guidelines provide guidance for using or designing protocols
+ for DANE.
+
+9.1. DANE DNS Record Size Guidelines
+
+ Selecting a combination of TLSA parameters to use requires careful
+ thought. One important consideration to take into account is the
+ size of the resulting TLSA record after its parameters are selected.
+
+9.1.1. UDP and TCP Considerations
+
+ Deployments SHOULD avoid TLSA record sizes that cause UDP
+ fragmentation.
+
+ Although DNS over TCP would provide the ability to more easily
+ transfer larger DNS records between clients and servers, it is not
+ universally deployed and is still prohibited by some firewalls.
+ Clients that request DNS records via UDP typically only use TCP upon
+ receipt of a truncated response in the DNS response message sent over
+ UDP. Setting the TC bit alone will be insufficient if the response
+ containing the TC bit is itself fragmented.
+
+9.1.2. Packet Size Considerations for TLSA Parameters
+
+ Server operators SHOULD NOT publish TLSA records using both a TLSA
+ Selector of Cert(0) and a TLSA Matching Type of Full(0), as even a
+ single certificate is generally too large to be reliably delivered
+ via DNS over UDP. Furthermore, two TLSA records containing full
+ certificates will need to be published simultaneously during a
+ certificate rollover, as discussed in Section 7.1.
+
+ While TLSA records using a TLSA Selector of SPKI(1) and a TLSA
+ Matching Type of Full(0) (which publish the bare public keys without
+ the overhead of a containing X.509 certificate) are generally more
+ compact, these too should be used with caution as they are still
+ larger than necessary. Rather, servers SHOULD publish digest-based
+ TLSA Matching Types in their TLSA records. The complete
+ corresponding certificate should, instead, be transmitted to the
+ client in-band during the TLS handshake, which can be easily verified
+ using the digest value.
+
+ In summary, the use of a TLSA Matching Type of Full(0) is NOT
+ RECOMMENDED and the use of a digest-based matching type, such as
+ SHA2-256(1) SHOULD be used.
+
+9.2. Certificate Name Check Conventions
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 21]
+?
+Internet-Draft DANE operations August 2014
+
+
+ Certificates presented by a TLS server will generally contain a
+ subjectAltName (SAN) extension or a Common Name (CN) element within
+ the subject distinguished name (DN). The TLS server's DNS domain
+ name is normally published within these elements, ideally within the
+ subjectAltName extension. (The use of the CN field for this purpose
+ is deprecated.)
+
+ When a server hosts multiple domains at the same transport endpoint,
+ the server's ability to respond with the right certificate chain is
+ predicated on correct SNI information from the client. DANE clients
+ MUST send the SNI extension with a HostName value of the base domain
+ of the TLSA RRset.
+
+ Except with TLSA Certificate Usage DANE-EE(3), where name checks are
+ not applicable (see Section 4.1), DANE clients MUST verify that the
+ client has reached the correct server by checking that the server
+ name is listed in the server certificate's SAN or CN. The server
+ name used for this comparison SHOULD be the base domain of the TLSA
+ RRset. Additional acceptable names may be specified by protocol-
+ specific DANE standards. For example, with SMTP both the destination
+ domain name and the MX host name are acceptable names to be found in
+ the server certificate (see [I-D.ietf-dane-smtp-with-dane]).
+
+ It is the responsibility of the service operator, in coordination
+ with the TLSA Publisher, to ensure that at least one of the TLSA
+ records published for the service will match the server's certificate
+ chain (either the default chain or the certificate that was selected
+ based on the SNI information provided by the client).
+
+ Given the DNSSEC validated DNS records below:
+
+ example.com. IN MX 0 mail.example.com.
+ mail.example.com. IN A 192.0.2.1
+ _25._tcp.mail.example.com. IN TLSA DANE-TA Cert SHA2-256 (
+ E8B54E0B4BAA815B06D3462D65FBC7C0
+ CF556ECCF9F5303EBFBB77D022F834C0 )
+
+ The TLSA base domain is "mail.example.com" and is required to be the
+ HostName in the client's SNI extension. The server certificate chain
+ is required to be be signed by a trust anchor with the above
+ certificate SHA2-256 digest. Finally, one of the DNS names in the
+ server certificate is required to be be either "mail.example.com" or
+ "example.com" (this additional name is a concession to compatibility
+ with prior practice, see [I-D.ietf-dane-smtp-with-dane] for details).
+
+ The semantics of wildcards in server certificates are left to
+ individual application protocol specifications.
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 22]
+?
+Internet-Draft DANE operations August 2014
+
+
+9.3. Design Considerations for Protocols Using DANE
+
+ When a TLS client goes to the trouble of authenticating a certificate
+ chain presented by a TLS server, it will typically not continue to
+ use that server in the event of authentication failure, or else
+ authentication serves no purpose. Some clients may, at times,
+ operate in an "audit" mode, where authentication failure is reported
+ to the user or in logs as a potential problem, but the connection
+ proceeds despite the failure. Nevertheless servers publishing TLSA
+ records MUST be configured to allow correctly configured clients to
+ successfully authenticate their TLS certificate chains.
+
+ A service with DNSSEC-validated TLSA records implicitly promises TLS
+ support. When all the TLSA records for a service are found
+ "unusable", due to unsupported parameter combinations or malformed
+ associated data, DANE clients cannot authenticate the service
+ certificate chain. When authenticated TLS is dictated by the
+ application, the client SHOULD NOT connect to the associated server.
+ If, on the other hand, the use of TLS is "opportunistic", then the
+ client SHOULD generally use the server via an unauthenticated TLS
+ connection, but if TLS encryption cannot be established, the client
+ MUST NOT use the server. Standards for DANE specific to the
+ particular application protocol may modify the above requirements, as
+ appropriate, to specify whether the connection should be established
+ anyway without relying on TLS security, with only encryption but not
+ authentication, or whether to refuse to connect entirely.
+ Application protocols need to specify when to prioritize security
+ over the ability to connect under adverse conditions.
+
+9.3.1. Design Considerations for non-PKIX Protocols
+
+ For some application protocols (such as SMTP to MX with opportunistic
+ TLS), the existing public CA PKI is not a viable alternative to DANE.
+ For these (non-PKIX) protocols, new DANE standards SHOULD NOT suggest
+ publishing TLSA records with TLSA Certificate Usage PKIX-TA(0) or
+ PKIX-EE(1), as TLS clients cannot be expected to perform [RFC5280]
+ PKIX validation or [RFC6125] identity verification.
+
+ Protocols designed for non-PKIX use SHOULD choose to treat any TLSA
+ records with TLSA Certificate Usage PKIX-TA(0) or PKIX-EE(1) as
+ unusable. After verifying that the only available TLSA Certificate
+ Usage types are PKIX-TA(0) or PKIX-EE(1), protocol specifications MAY
+ instruct clients to either refuse to initiate a connection or to
+ connect via unauthenticated TLS if no alternative authentication
+ mechanisms are available.
+
+10. Interaction with Certificate Transparency
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 23]
+?
+Internet-Draft DANE operations August 2014
+
+
+ Certificate Transparency (CT) [RFC6962] defines an experimental
+ approach to mitigate the risk of rogue or compromised public CAs
+ issuing unauthorized certificates. This section clarifies the
+ interaction of CT and DANE. CT is an experimental protocol and
+ auditing system that applies only to public CAs, and only when they
+ are free to issue unauthorized certificates for a domain. If the CA
+ is not a public CA, or a DANE-EE(3) TLSA RR directly specifies the
+ end entity certificate, there is no role for CT, and clients need not
+ apply CT checks.
+
+ When a server is authenticated via a DANE TLSA RR with TLSA
+ Certificate Usage DANE-EE(3), the domain owner has directly specified
+ the certificate associated with the given service without reference
+ to any PKIX certification authority. Therefore, when a TLS client
+ authenticates the TLS server via a TLSA certificate association with
+ usage DANE-EE(3), CT checks SHOULD NOT be performed. Publication of
+ the server certificate or public key (digest) in a TLSA record in a
+ DNSSEC signed zone by the domain owner assures the TLS client that
+ the certificate is not an unauthorized certificate issued by a rogue
+ CA without the domain owner's consent.
+
+ When a server is authenticated via a DANE TLSA RR with TLSA usage
+ DANE-TA(2) and the server certificate does not chain to a known
+ public root CA, CT cannot apply (CT logs only accept chains that
+ start with a known, public root). Since TLSA Certificate Usage DANE-
+ TA(2) is generally intended to support non-PKIX trust anchors, TLS
+ clients SHOULD NOT perform CT checks with usage DANE-TA(2) using
+ unknown root CAs.
+
+ A server operator who wants clients to perform CT checks should
+ publish TLSA RRs with usage PKIX-TA(0) or PKIX-EE(1).
+
+11. Note on DNSSEC Security
+
+ Clearly the security of the DANE TLSA PKI rests on the security of
+ the underlying DNSSEC infrastructure. While this memo is not a guide
+ to DNSSEC security, a few comments may be helpful to TLSA
+ implementers.
+
+ With the existing public CA PKI, name constraints are rarely used,
+ and a public root CA can issue certificates for any domain of its
+ choice. With DNSSEC, under the Registry/Registrar/Registrant model,
+ the situation is different: only the registrar of record can update a
+ domain's DS record in the registry parent zone (in some cases,
+ however, the registry is the sole registrar). With many gTLDs, for
+ which multiple registrars compete to provide domains in a single
+ registry, it is important to make sure that rogue registrars cannot
+ easily initiate an unauthorized domain transfer, and thus take over
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 24]
+?
+Internet-Draft DANE operations August 2014
+
+
+ DNSSEC for the domain. DNS Operators SHOULD use a registrar lock of
+ their domains to offer some protection against this possibility.
+
+ When the registrar is also the DNS operator for the domain, one needs
+ to consider whether the registrar will allow orderly migration of the
+ domain to another registrar or DNS operator in a way that will
+ maintain DNSSEC integrity. TLSA Publishers SHOULD ensure their
+ registrar publishes a suitable domain transfer policy.
+
+ DNSSEC signed RRsets cannot be securely revoked before they expire.
+ Operators should plan accordingly and not generate signatures with
+ excessively long duration periods. For domains publishing high-value
+ keys, a signature lifetime of a few days is reasonable, and the zone
+ should be resigned daily. For domains with less critical data, a
+ reasonable signature lifetime is a couple of weeks to a month, and
+ the zone should be resigned weekly. Monitoring of the signature
+ lifetime is important. If the zone is not resigned in a timely
+ manner, one risks a major outage and the entire domain will become
+ bogus.
+
+12. Summary of Updates to RFC6698
+
+ Authors note: is this section needed? Or is it sufficiently clear
+ above that we don't need to restate things here?
+
+ o In Section 3 we update [RFC6698] to specify a requirement for
+ clients to support at least TLS 1.0, and to support SNI.
+
+ o In Section 4.1 we update [RFC6698] to specify peer identity
+ matching and certificate validity interval based solely on the
+ basis of the TLSA RRset. We also specify DANE authentication of
+ raw public keys [I-D.ietf-tls-oob-pubkey] via TLSA records with
+ Certificate Usage DANE-EE(3) and selector SPKI(1).
+
+ o In Section 4.2 we update [RFC6698] to require that servers
+ publishing digest TLSA records with a usage of DANE-TA(2) MUST
+ include the trust-anchor certificate in their TLS server
+ certificate message. This extends to the case of "2 1 0" TLSA
+ records which publish a full public key.
+
+ o In Section 4.3 and Section 4.4, we explain that PKIX-EE(1) and
+ PKIX-TA(0) are generally NOT RECOMMENDED. With usage PKIX-TA(0)
+ we note that clients may need to processes extended trust chains
+ beyond the first trusted issuer, when that issuer is not self-
+ signed.
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 25]
+?
+Internet-Draft DANE operations August 2014
+
+
+ o In Section 6, we recommend that DANE application protocols specify
+ that when possible securely CNAME expanded names be used to derive
+ the TLSA base domain.
+
+ o In Section 7, we specify a strategy for managing TLSA records that
+ interoperates with DANE clients regardless of what subset of the
+ possible TLSA record types (combinations of TLSA parameters) is
+ supported by the client.
+
+ o In Section 8, we propose a digest algorithm agility protocol.
+ [Note: This section does not yet represent the rough consensus of
+ the DANE working group and requires further discussion. Perhaps
+ this belongs in a separate document.]
+
+ o In Section 9.1 we recommend against the use of Full(0) TLSA
+ records, as digest records are generally much more compact.
+
+13. Security Considerations
+
+ Application protocols that cannot make use of the existing public CA
+ PKI (so called non-PKIX protocols), may choose not to implement
+ certain PKIX-dependent TLSA record types defined in [RFC6698]. If
+ such records are published despite not being supported by the
+ application protocol, they are treated as "unusable". When TLS is
+ opportunistic, the client may proceed to use the server with
+ mandatory unauthenticated TLS. This is stronger than opportunistic
+ TLS without DANE, since in that case the client may also proceed with
+ a plaintext connection. When TLS is not opportunistic, the client
+ MUST NOT connect to the server.
+
+ Therefore, when TLSA records are used with protocols where PKIX does
+ not apply, the recommended policy is for servers to not publish PKIX-
+ dependent TLSA records, and for opportunistic TLS clients to use them
+ to enforce the use of (albeit unauthenticated) TLS, but otherwise
+ treat them as unusable. Of course, when PKIX validation is supported
+ by the application protocol, clients SHOULD perform PKIX validation
+ per [RFC6698].
+
+14. IANA Considerations
+
+ This specification requires no support from IANA.
+
+15. Acknowledgements
+
+ The authors would like to thank Phil Pennock for his comments and
+ advice on this document.
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 26]
+?
+Internet-Draft DANE operations August 2014
+
+
+ Acknowledgments from Viktor: Thanks to Tony Finch who finally prodded
+ me into participating in DANE working group discussions. Thanks to
+ Paul Hoffman who motivated me to produce this memo and provided
+ feedback on early drafts. Thanks also to Samuel Dukhovni for
+ editorial assistance.
+
+16. References
+
+16.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements", RFC
+ 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246, August 2008.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, May 2008.
+
+ [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
+ Extension Definitions", RFC 6066, January 2011.
+
+ [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
+ Verification of Domain-Based Application Service Identity
+ within Internet Public Key Infrastructure Using X.509
+ (PKIX) Certificates in the Context of Transport Layer
+ Security (TLS)", RFC 6125, March 2011.
+
+ [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
+ Security Version 1.2", RFC 6347, January 2012.
+
+ [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
+ of Named Entities (DANE) Transport Layer Security (TLS)
+ Protocol: TLSA", RFC 6698, August 2012.
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 27]
+?
+Internet-Draft DANE operations August 2014
+
+
+ [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
+ Conversations about DNS-Based Authentication of Named
+ Entities (DANE)", RFC 7218, April 2014.
+
+16.2. Informative References
+
+ [I-D.dukhovni-opportunistic-security]
+ Dukhovni, V., "Opportunistic Security: Some Protection
+ Most of the Time", draft-dukhovni-opportunistic-
+ security-03 (work in progress), August 2014.
+
+ [I-D.ietf-dane-smtp-with-dane]
+ Dukhovni, V. and W. Hardaker, "SMTP security via
+ opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-11
+ (work in progress), August 2014.
+
+ [I-D.ietf-dane-srv]
+ Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
+ Based Authentication of Named Entities (DANE) TLSA Records
+ with SRV Records", draft-ietf-dane-srv-07 (work in
+ progress), July 2014.
+
+ [I-D.ietf-tls-oob-pubkey]
+ Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and
+ T. Kivinen, "Using Raw Public Keys in Transport Layer
+ Security (TLS) and Datagram Transport Layer Security
+ (DTLS)", draft-ietf-tls-oob-pubkey-11 (work in progress),
+ January 2014.
+
+ [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate
+ Transparency", RFC 6962, June 2013.
+
+Authors' Addresses
+
+ Viktor Dukhovni
+ Unaffiliated
+
+ Email: ietf-dane@???
+
+
+ Wes Hardaker
+ Parsons
+ P.O. Box 382
+ Davis, CA 95617
+ US
+
+ Email: ietf@???
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 28]
diff --git a/doc/doc-txt/draft-ietf-dane-smtp-with-dane.txt b/doc/doc-txt/draft-ietf-dane-smtp-with-dane-12.txt
similarity index 90%
copy from doc/doc-txt/draft-ietf-dane-smtp-with-dane.txt
copy to doc/doc-txt/draft-ietf-dane-smtp-with-dane-12.txt
index 26bed33..70ae5d6 100644
--- a/doc/doc-txt/draft-ietf-dane-smtp-with-dane.txt
+++ b/doc/doc-txt/draft-ietf-dane-smtp-with-dane-12.txt
@@ -5,12 +5,12 @@
DANE V. Dukhovni
Internet-Draft Two Sigma
Intended status: Standards Track W. Hardaker
-Expires: February 3, 2015 Parsons
- August 2, 2014
+Expires: February 18, 2015 Parsons
+ August 17, 2014
SMTP security via opportunistic DANE TLS
- draft-ietf-dane-smtp-with-dane-11
+ draft-ietf-dane-smtp-with-dane-12
Abstract
@@ -36,7 +36,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on February 3, 2015.
+ This Internet-Draft will expire on February 18, 2015.
Copyright Notice
@@ -53,7 +53,7 @@ Copyright Notice
-Dukhovni & Hardaker Expires February 3, 2015 [Page 1]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 1]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -91,25 +91,25 @@ Table of Contents
3.2.3. Reference identifier matching . . . . . . . . . . . . 25
4. Server key management . . . . . . . . . . . . . . . . . . . . 26
5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26
- 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 28
- 7. Note on DANE for Message User Agents . . . . . . . . . . . . 29
- 8. Interoperability considerations . . . . . . . . . . . . . . . 29
- 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 29
- 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 30
- 9. Operational Considerations . . . . . . . . . . . . . . . . . 30
- 9.1. Client Operational Considerations . . . . . . . . . . . . 30
- 9.2. Publisher Operational Considerations . . . . . . . . . . 31
- 10. Security Considerations . . . . . . . . . . . . . . . . . . . 31
- 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 32
- 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32
- 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33
- 13.1. Normative References . . . . . . . . . . . . . . . . . . 33
- 13.2. Informative References . . . . . . . . . . . . . . . . . 34
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 2]
+ 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 27
+ 7. Note on DANE for Message User Agents . . . . . . . . . . . . 27
+ 8. Interoperability considerations . . . . . . . . . . . . . . . 28
+ 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 28
+ 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28
+ 9. Operational Considerations . . . . . . . . . . . . . . . . . 29
+ 9.1. Client Operational Considerations . . . . . . . . . . . . 29
+ 9.2. Publisher Operational Considerations . . . . . . . . . . 30
+ 10. Security Considerations . . . . . . . . . . . . . . . . . . . 30
+ 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 31
+ 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31
+ 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 13.1. Normative References . . . . . . . . . . . . . . . . . . 31
+ 13.2. Informative References . . . . . . . . . . . . . . . . . 32
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 2]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -165,7 +165,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 3]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 3]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -221,7 +221,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 4]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 4]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -277,7 +277,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 5]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 5]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -333,7 +333,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 6]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 6]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -389,7 +389,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 7]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 7]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -445,7 +445,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 8]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 8]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -497,11 +497,11 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
and "anchorless" RRsets MUST be handled identically: in either case
unvalidated data for the query domain is all that is and can be
available, and authentication using the data is impossible. In what
- follows, the term "insecure" will also includes the case of
+ follows, the term "insecure" will also include the case of
-Dukhovni & Hardaker Expires February 3, 2015 [Page 9]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 9]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -557,7 +557,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 10]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 10]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -613,7 +613,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 11]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 11]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -669,7 +669,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 12]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 12]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -725,7 +725,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 13]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 13]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -739,7 +739,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
any relevant security policy configured by the MTA administrator.
Similarly, when an MX RRset incorrectly lists a network address in
lieu of an MX hostname, if an MTA chooses to connect to the network
- address in the non-conformat MX record, DANE TLSA does not apply for
+ address in the non-conformant MX record, DANE TLSA does not apply for
such a connection.
In the subsections that follow we explain how to locate the SMTP
@@ -781,7 +781,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 14]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 14]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -837,7 +837,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 15]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 15]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -893,7 +893,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 16]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 16]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -949,7 +949,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 17]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 17]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1005,7 +1005,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 18]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 18]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1061,7 +1061,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 19]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 19]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1117,7 +1117,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 20]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 20]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1173,7 +1173,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 21]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 21]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1229,7 +1229,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 22]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 22]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1285,7 +1285,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 23]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 23]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1341,7 +1341,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 24]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 24]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1397,7 +1397,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 25]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 25]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1438,116 +1438,36 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
CNAME record that references the centrally operated DANE-TA(2) RRset.
If a particular server's key is compromised, its TLSA CNAME SHOULD be
replaced with a DANE-EE(3) association until the certificate for the
- compromised key expires, at which point it can return to using CNAME
- record. If the central trust anchor is compromised, all servers need
- to be issued new keys by a new TA, and a shared DANE-TA(2) TLSA RRset
- needs to be published containing just the new TA. SMTP servers
- cannot expect broad SMTP client CRL or OCSP support.
+ compromised key expires, at which point it can return to using a
+ CNAME record. If the central trust anchor is compromised, all
+ servers need to be issued new keys by a new TA, and an updated DANE-
+ TA(2) TLSA RRset needs to be published containing just the new TA.
+
+ SMTP servers cannot expect broad CRL or OCSP support from SMTP
+ clients. As outlined above, with DANE, compromised server or trust
+ anchor keys can be "revoked" by removing them from the DNS without
+ the need for client-side support for OCSP or CRLs.
5. Digest algorithm agility
- While [RFC6698] specifies multiple digest algorithms, it does not
- specify a protocol by which the SMTP client and TLSA record publisher
- can agree on the strongest shared algorithm. Such a protocol would
- allow the client and server to avoid exposure to any deprecated
-Dukhovni & Hardaker Expires February 3, 2015 [Page 26]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 26]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+ While [RFC6698] specifies multiple digest algorithms, it does not
+ specify a protocol by which the SMTP client and TLSA record publisher
+ can agree on the strongest shared algorithm. Such a protocol would
+ allow the client and server to avoid exposure to any deprecated
weaker algorithms that are published for compatibility with less
- capable clients, but should be ignored when possible. We specify
- such a protocol below.
-
- Suppose that a DANE TLS client authenticating a TLS server considers
- digest algorithm "BetterAlg" stronger than digest algorithm
- "WorseAlg". Suppose further that a server's TLSA RRset contains some
- records with "BetterAlg" as the digest algorithm. Finally, suppose
- that for every raw public key or certificate object that is included
- in the server's TLSA RRset in digest form, whenever that object
- appears with algorithm "WorseAlg" with some usage and selector it
- also appears with algorithm "BetterAlg" with the same usage and
- selector. In that case our client can safely ignore TLSA records
- with the weaker algorithm "WorseAlg", because it suffices to check
- the records with the stronger algorithm "BetterAlg".
-
- Server operators MUST ensure that for any given usage and selector,
- each object (certificate or public key), for which a digest
- association exists in the TLSA RRset, is published with the SAME SET
- of digest algorithms as all other objects that published with that
- usage and selector. In other words, for each usage and selector, the
- records with non-zero matching types will correspond to on a cross-
- product of a set of underlying objects and a fixed set of digest
- algorithms that apply uniformly to all the objects.
-
- To achieve digest algorithm agility, all published TLSA RRsets for
- use with opportunistic DANE TLS for SMTP MUST conform to the above
- requirements. Then, for each combination of usage and selector, SMTP
- clients can simply ignore all digest records except those that employ
- the strongest digest algorithm. The ordering of digest algorithms by
- strength is not specified in advance, it is entirely up to the SMTP
- client. SMTP client implementations SHOULD make the digest algorithm
- preference order configurable. Only the future will tell which
- algorithms might be weakened by new attacks and when.
-
- Note, TLSA records with a matching type of Full(0), that publish the
- full value of a certificate or public key object, play no role in
- digest algorithm agility. They neither trump the processing of
- records that employ digests, nor are they ignored in the presence of
- any records with a digest (i.e. non-zero) matching type.
-
-
-
-
-
-
-
-
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 27]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
- SMTP clients SHOULD use digest algorithm agility when processing the
- DANE TLSA records of an SMTP server. Algorithm agility is to be
- applied after first discarding any unusable or malformed records
- (unsupported digest algorithm, or incorrect digest length). Thus,
- for each usage and selector, the client SHOULD process only any
- usable records with a matching type of Full(0) and the usable records
- whose digest algorithm is believed to be the strongest among usable
- records with the given usage and selector.
-
- The main impact of this requirement is on key rotation, when the TLSA
- RRset is pre-populated with digests of new certificates or public
- keys, before these replace or augment their predecessors. Were the
- newly introduced RRs to include previously unused digest algorithms,
- clients that employ this protocol could potentially ignore all the
- digests corresponding to the current keys or certificates, causing
- connectivity issues until the new keys or certificates are deployed.
- Similarly, publishing new records with fewer digests could cause
- problems for clients using cached TLSA RRsets that list both the old
- and new objects once the new keys are deployed.
-
- To avoid problems, server operators SHOULD apply the following
- strategy:
-
- o When changing the set of objects published via the TLSA RRset
- (e.g. during key rotation), DO NOT change the set of digest
- algorithms used; change just the list of objects.
-
- o When changing the set of digest algorithms, change only the set of
- algorithms, and generate a new RRset in which all the current
- objects are re-published with the new set of digest algorithms.
-
- After either of these two changes are made, the new TLSA RRset should
- be left in place long enough that the older TLSA RRset can be flushed
- from caches before making another change.
+ capable clients, but should be ignored when possible. Such a
+ protocol is specified in [I-D.ietf-dane-ops]. SMTP clients and
+ servers that implement this specification MUST comply with the
+ requirements outlined under "Digest Algorithm Agility" in
+ [I-D.ietf-dane-ops].
6. Mandatory TLS Security
@@ -1562,14 +1482,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
MX hostnames, a sending MTA can be configured to use the receiving
domains's DANE TLSA records to authenticate the corresponding SMTP
server. Authentication via DANE TLSA records is easier to manage, as
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 28]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
changes in the receiver's expected certificate properties are made on
the receiver end and don't require manually communicated
configuration changes. With mandatory DANE TLS, when no usable TLSA
@@ -1595,6 +1507,13 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
replaced by corresponding DNS Service (SRV) records
[I-D.ietf-dane-srv].
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 27]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
However, until MUAs begin to adopt the dynamic configuration
mechanisms of [RFC6186] they are adequately served by more
traditional static TLS security policies. Specification of DANE TLS
@@ -1618,14 +1537,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
Each SMTP server MUST present a certificate chain (see [RFC5246]
Section 7.4.2) that matches at least one of the TLSA records. The
server MAY rely on SNI to determine which certificate chain to
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 29]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
present to the client. Clients that don't send SNI information may
not see the expected certificate chain.
@@ -1651,6 +1562,14 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
offer to negotiate a typical set of non-anonymous cipher suites
required for interoperability with such servers. An SMTP client
employing pre-DANE opportunistic TLS MAY in addition include one or
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 28]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
more anonymous TLS cipher suites in its TLS HELLO. SMTP servers,
that need to interoperate with opportunistic TLS clients SHOULD be
prepared to interoperate with such clients by either always selecting
@@ -1674,14 +1593,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
failure to deliver time-sensitive email. The sending MTA
administrator may have to choose between letting email queue until
the error is resolved and disabling opportunistic or mandatory DANE
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 30]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
TLS for one or more destinations. The choice to disable DANE TLS
security should not be made lightly. Every reasonable effort should
be made to determine that problems with mail delivery are the result
@@ -1702,6 +1613,19 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
least one TLSA record when usable TLSA records are found for that
server.
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 29]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
9.2. Publisher Operational Considerations
SMTP servers that publish certificate usage DANE-TA(2) associations
@@ -1709,13 +1633,11 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
chain, even when that TA certificate is a self-signed root
certificate.
- TLSA Publishers MUST follow the digest agility guidelines in
- Section 5 and MUST make sure that all objects published in digest
- form for a particular usage and selector are published with the same
- set of digest algorithms.
+ TLSA Publishers MUST follow the guidelines in the "TLSA Publisher
+ Requirements" section of [I-D.ietf-dane-ops].
- TLSA Publishers should follow the TLSA publication size guidance
- found in [I-D.ietf-dane-ops] about "DANE DNS Record Size Guidelines".
+ TLSA Publishers SHOULD follow the TLSA publication size guidance
+ found in [I-D.ietf-dane-ops] under "DANE DNS Record Size Guidelines".
10. Security Considerations
@@ -1726,18 +1648,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
sending MTAs to securely discover both the availability of TLS and
how to authenticate the destination.
-
-
-
-
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 31]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
This protocol does not aim to secure all SMTP traffic, as that is not
practical until DNSSEC and DANE adoption are universal. The
incremental deployment provided by following this specification is a
@@ -1764,6 +1674,14 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
specification that indicate when it is appropriate to initiate a non-
authenticated connection or cleartext connection to a SMTP server.
Specifically, in order to prevent downgrade attacks on this protocol,
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 30]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
implementation must not initiate a connection when this specification
indicates a particular SMTP server must be considered unreachable.
@@ -1786,22 +1704,14 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
Postfix, and whose advice and feedback were essential to the
development of the Postfix DANE implementation.
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 32]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
13. References
13.1. Normative References
[I-D.ietf-dane-ops]
- Dukhovni, V. and W. Hardaker, "DANE TLSA implementation
- and operational guidance", draft-ietf-dane-ops-00 (work in
- progress), October 2013.
+ Dukhovni, V. and W. Hardaker, "Updates to and Operational
+ Guidance for the DANE Protocol", draft-ietf-dane-ops-06
+ (work in progress), August 2014.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
@@ -1820,6 +1730,14 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 31]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
@@ -1838,18 +1756,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
[RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
Extension Definitions", RFC 6066, January 2011.
-
-
-
-
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 33]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
@@ -1879,32 +1785,32 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
13.2. Informative References
[I-D.dukhovni-opportunistic-security]
- Dukhovni, V., "Opportunistic Security: some protection
- most of the time", draft-dukhovni-opportunistic-
- security-01 (work in progress), July 2014.
-
- [I-D.ietf-dane-srv]
- Finch, T., "Using DNS-Based Authentication of Named
- Entities (DANE) TLSA records with SRV and MX records.",
- draft-ietf-dane-srv-02 (work in progress), February 2013.
- [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
- 2009.
- [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
- STD 72, RFC 6409, November 2011.
-Authors' Addresses
+Dukhovni & Hardaker Expires February 18, 2015 [Page 32]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+ Dukhovni, V., "Opportunistic Security: Some Protection
+ Most of the Time", draft-dukhovni-opportunistic-
+ security-03 (work in progress), August 2014.
+ [I-D.ietf-dane-srv]
+ Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
+ Based Authentication of Named Entities (DANE) TLSA Records
+ with SRV Records", draft-ietf-dane-srv-07 (work in
+ progress), July 2014.
+ [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
+ 2009.
-Dukhovni & Hardaker Expires February 3, 2015 [Page 34]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+ [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
+ STD 72, RFC 6409, November 2011.
+Authors' Addresses
Viktor Dukhovni
Two Sigma
@@ -1939,22 +1845,4 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 35]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 33]
diff --git a/doc/doc-txt/draft-ietf-dane-smtp-with-dane.txt b/doc/doc-txt/draft-ietf-dane-smtp-with-dane.txt
index 26bed33..70ae5d6 100644
--- a/doc/doc-txt/draft-ietf-dane-smtp-with-dane.txt
+++ b/doc/doc-txt/draft-ietf-dane-smtp-with-dane.txt
@@ -5,12 +5,12 @@
DANE V. Dukhovni
Internet-Draft Two Sigma
Intended status: Standards Track W. Hardaker
-Expires: February 3, 2015 Parsons
- August 2, 2014
+Expires: February 18, 2015 Parsons
+ August 17, 2014
SMTP security via opportunistic DANE TLS
- draft-ietf-dane-smtp-with-dane-11
+ draft-ietf-dane-smtp-with-dane-12
Abstract
@@ -36,7 +36,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on February 3, 2015.
+ This Internet-Draft will expire on February 18, 2015.
Copyright Notice
@@ -53,7 +53,7 @@ Copyright Notice
-Dukhovni & Hardaker Expires February 3, 2015 [Page 1]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 1]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -91,25 +91,25 @@ Table of Contents
3.2.3. Reference identifier matching . . . . . . . . . . . . 25
4. Server key management . . . . . . . . . . . . . . . . . . . . 26
5. Digest algorithm agility . . . . . . . . . . . . . . . . . . 26
- 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 28
- 7. Note on DANE for Message User Agents . . . . . . . . . . . . 29
- 8. Interoperability considerations . . . . . . . . . . . . . . . 29
- 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 29
- 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 30
- 9. Operational Considerations . . . . . . . . . . . . . . . . . 30
- 9.1. Client Operational Considerations . . . . . . . . . . . . 30
- 9.2. Publisher Operational Considerations . . . . . . . . . . 31
- 10. Security Considerations . . . . . . . . . . . . . . . . . . . 31
- 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 32
- 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32
- 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33
- 13.1. Normative References . . . . . . . . . . . . . . . . . . 33
- 13.2. Informative References . . . . . . . . . . . . . . . . . 34
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 2]
+ 6. Mandatory TLS Security . . . . . . . . . . . . . . . . . . . 27
+ 7. Note on DANE for Message User Agents . . . . . . . . . . . . 27
+ 8. Interoperability considerations . . . . . . . . . . . . . . . 28
+ 8.1. SNI support . . . . . . . . . . . . . . . . . . . . . . . 28
+ 8.2. Anonymous TLS cipher suites . . . . . . . . . . . . . . . 28
+ 9. Operational Considerations . . . . . . . . . . . . . . . . . 29
+ 9.1. Client Operational Considerations . . . . . . . . . . . . 29
+ 9.2. Publisher Operational Considerations . . . . . . . . . . 30
+ 10. Security Considerations . . . . . . . . . . . . . . . . . . . 30
+ 11. IANA considerations . . . . . . . . . . . . . . . . . . . . . 31
+ 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31
+ 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 13.1. Normative References . . . . . . . . . . . . . . . . . . 31
+ 13.2. Informative References . . . . . . . . . . . . . . . . . 32
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 2]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -165,7 +165,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 3]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 3]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -221,7 +221,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 4]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 4]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -277,7 +277,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 5]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 5]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -333,7 +333,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 6]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 6]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -389,7 +389,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 7]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 7]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -445,7 +445,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 8]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 8]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -497,11 +497,11 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
and "anchorless" RRsets MUST be handled identically: in either case
unvalidated data for the query domain is all that is and can be
available, and authentication using the data is impossible. In what
- follows, the term "insecure" will also includes the case of
+ follows, the term "insecure" will also include the case of
-Dukhovni & Hardaker Expires February 3, 2015 [Page 9]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 9]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -557,7 +557,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 10]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 10]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -613,7 +613,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 11]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 11]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -669,7 +669,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 12]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 12]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -725,7 +725,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 13]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 13]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -739,7 +739,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
any relevant security policy configured by the MTA administrator.
Similarly, when an MX RRset incorrectly lists a network address in
lieu of an MX hostname, if an MTA chooses to connect to the network
- address in the non-conformat MX record, DANE TLSA does not apply for
+ address in the non-conformant MX record, DANE TLSA does not apply for
such a connection.
In the subsections that follow we explain how to locate the SMTP
@@ -781,7 +781,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 14]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 14]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -837,7 +837,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 15]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 15]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -893,7 +893,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 16]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 16]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -949,7 +949,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 17]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 17]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1005,7 +1005,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 18]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 18]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1061,7 +1061,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 19]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 19]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1117,7 +1117,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 20]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 20]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1173,7 +1173,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 21]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 21]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1229,7 +1229,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 22]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 22]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1285,7 +1285,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 23]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 23]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1341,7 +1341,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 24]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 24]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1397,7 +1397,7 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-Dukhovni & Hardaker Expires February 3, 2015 [Page 25]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 25]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
@@ -1438,116 +1438,36 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
CNAME record that references the centrally operated DANE-TA(2) RRset.
If a particular server's key is compromised, its TLSA CNAME SHOULD be
replaced with a DANE-EE(3) association until the certificate for the
- compromised key expires, at which point it can return to using CNAME
- record. If the central trust anchor is compromised, all servers need
- to be issued new keys by a new TA, and a shared DANE-TA(2) TLSA RRset
- needs to be published containing just the new TA. SMTP servers
- cannot expect broad SMTP client CRL or OCSP support.
+ compromised key expires, at which point it can return to using a
+ CNAME record. If the central trust anchor is compromised, all
+ servers need to be issued new keys by a new TA, and an updated DANE-
+ TA(2) TLSA RRset needs to be published containing just the new TA.
+
+ SMTP servers cannot expect broad CRL or OCSP support from SMTP
+ clients. As outlined above, with DANE, compromised server or trust
+ anchor keys can be "revoked" by removing them from the DNS without
+ the need for client-side support for OCSP or CRLs.
5. Digest algorithm agility
- While [RFC6698] specifies multiple digest algorithms, it does not
- specify a protocol by which the SMTP client and TLSA record publisher
- can agree on the strongest shared algorithm. Such a protocol would
- allow the client and server to avoid exposure to any deprecated
-Dukhovni & Hardaker Expires February 3, 2015 [Page 26]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 26]
?
Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+ While [RFC6698] specifies multiple digest algorithms, it does not
+ specify a protocol by which the SMTP client and TLSA record publisher
+ can agree on the strongest shared algorithm. Such a protocol would
+ allow the client and server to avoid exposure to any deprecated
weaker algorithms that are published for compatibility with less
- capable clients, but should be ignored when possible. We specify
- such a protocol below.
-
- Suppose that a DANE TLS client authenticating a TLS server considers
- digest algorithm "BetterAlg" stronger than digest algorithm
- "WorseAlg". Suppose further that a server's TLSA RRset contains some
- records with "BetterAlg" as the digest algorithm. Finally, suppose
- that for every raw public key or certificate object that is included
- in the server's TLSA RRset in digest form, whenever that object
- appears with algorithm "WorseAlg" with some usage and selector it
- also appears with algorithm "BetterAlg" with the same usage and
- selector. In that case our client can safely ignore TLSA records
- with the weaker algorithm "WorseAlg", because it suffices to check
- the records with the stronger algorithm "BetterAlg".
-
- Server operators MUST ensure that for any given usage and selector,
- each object (certificate or public key), for which a digest
- association exists in the TLSA RRset, is published with the SAME SET
- of digest algorithms as all other objects that published with that
- usage and selector. In other words, for each usage and selector, the
- records with non-zero matching types will correspond to on a cross-
- product of a set of underlying objects and a fixed set of digest
- algorithms that apply uniformly to all the objects.
-
- To achieve digest algorithm agility, all published TLSA RRsets for
- use with opportunistic DANE TLS for SMTP MUST conform to the above
- requirements. Then, for each combination of usage and selector, SMTP
- clients can simply ignore all digest records except those that employ
- the strongest digest algorithm. The ordering of digest algorithms by
- strength is not specified in advance, it is entirely up to the SMTP
- client. SMTP client implementations SHOULD make the digest algorithm
- preference order configurable. Only the future will tell which
- algorithms might be weakened by new attacks and when.
-
- Note, TLSA records with a matching type of Full(0), that publish the
- full value of a certificate or public key object, play no role in
- digest algorithm agility. They neither trump the processing of
- records that employ digests, nor are they ignored in the presence of
- any records with a digest (i.e. non-zero) matching type.
-
-
-
-
-
-
-
-
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 27]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
- SMTP clients SHOULD use digest algorithm agility when processing the
- DANE TLSA records of an SMTP server. Algorithm agility is to be
- applied after first discarding any unusable or malformed records
- (unsupported digest algorithm, or incorrect digest length). Thus,
- for each usage and selector, the client SHOULD process only any
- usable records with a matching type of Full(0) and the usable records
- whose digest algorithm is believed to be the strongest among usable
- records with the given usage and selector.
-
- The main impact of this requirement is on key rotation, when the TLSA
- RRset is pre-populated with digests of new certificates or public
- keys, before these replace or augment their predecessors. Were the
- newly introduced RRs to include previously unused digest algorithms,
- clients that employ this protocol could potentially ignore all the
- digests corresponding to the current keys or certificates, causing
- connectivity issues until the new keys or certificates are deployed.
- Similarly, publishing new records with fewer digests could cause
- problems for clients using cached TLSA RRsets that list both the old
- and new objects once the new keys are deployed.
-
- To avoid problems, server operators SHOULD apply the following
- strategy:
-
- o When changing the set of objects published via the TLSA RRset
- (e.g. during key rotation), DO NOT change the set of digest
- algorithms used; change just the list of objects.
-
- o When changing the set of digest algorithms, change only the set of
- algorithms, and generate a new RRset in which all the current
- objects are re-published with the new set of digest algorithms.
-
- After either of these two changes are made, the new TLSA RRset should
- be left in place long enough that the older TLSA RRset can be flushed
- from caches before making another change.
+ capable clients, but should be ignored when possible. Such a
+ protocol is specified in [I-D.ietf-dane-ops]. SMTP clients and
+ servers that implement this specification MUST comply with the
+ requirements outlined under "Digest Algorithm Agility" in
+ [I-D.ietf-dane-ops].
6. Mandatory TLS Security
@@ -1562,14 +1482,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
MX hostnames, a sending MTA can be configured to use the receiving
domains's DANE TLSA records to authenticate the corresponding SMTP
server. Authentication via DANE TLSA records is easier to manage, as
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 28]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
changes in the receiver's expected certificate properties are made on
the receiver end and don't require manually communicated
configuration changes. With mandatory DANE TLS, when no usable TLSA
@@ -1595,6 +1507,13 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
replaced by corresponding DNS Service (SRV) records
[I-D.ietf-dane-srv].
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 27]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
However, until MUAs begin to adopt the dynamic configuration
mechanisms of [RFC6186] they are adequately served by more
traditional static TLS security policies. Specification of DANE TLS
@@ -1618,14 +1537,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
Each SMTP server MUST present a certificate chain (see [RFC5246]
Section 7.4.2) that matches at least one of the TLSA records. The
server MAY rely on SNI to determine which certificate chain to
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 29]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
present to the client. Clients that don't send SNI information may
not see the expected certificate chain.
@@ -1651,6 +1562,14 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
offer to negotiate a typical set of non-anonymous cipher suites
required for interoperability with such servers. An SMTP client
employing pre-DANE opportunistic TLS MAY in addition include one or
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 28]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
more anonymous TLS cipher suites in its TLS HELLO. SMTP servers,
that need to interoperate with opportunistic TLS clients SHOULD be
prepared to interoperate with such clients by either always selecting
@@ -1674,14 +1593,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
failure to deliver time-sensitive email. The sending MTA
administrator may have to choose between letting email queue until
the error is resolved and disabling opportunistic or mandatory DANE
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 30]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
TLS for one or more destinations. The choice to disable DANE TLS
security should not be made lightly. Every reasonable effort should
be made to determine that problems with mail delivery are the result
@@ -1702,6 +1613,19 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
least one TLSA record when usable TLSA records are found for that
server.
+
+
+
+
+
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 29]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
9.2. Publisher Operational Considerations
SMTP servers that publish certificate usage DANE-TA(2) associations
@@ -1709,13 +1633,11 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
chain, even when that TA certificate is a self-signed root
certificate.
- TLSA Publishers MUST follow the digest agility guidelines in
- Section 5 and MUST make sure that all objects published in digest
- form for a particular usage and selector are published with the same
- set of digest algorithms.
+ TLSA Publishers MUST follow the guidelines in the "TLSA Publisher
+ Requirements" section of [I-D.ietf-dane-ops].
- TLSA Publishers should follow the TLSA publication size guidance
- found in [I-D.ietf-dane-ops] about "DANE DNS Record Size Guidelines".
+ TLSA Publishers SHOULD follow the TLSA publication size guidance
+ found in [I-D.ietf-dane-ops] under "DANE DNS Record Size Guidelines".
10. Security Considerations
@@ -1726,18 +1648,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
sending MTAs to securely discover both the availability of TLS and
how to authenticate the destination.
-
-
-
-
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 31]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
This protocol does not aim to secure all SMTP traffic, as that is not
practical until DNSSEC and DANE adoption are universal. The
incremental deployment provided by following this specification is a
@@ -1764,6 +1674,14 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
specification that indicate when it is appropriate to initiate a non-
authenticated connection or cleartext connection to a SMTP server.
Specifically, in order to prevent downgrade attacks on this protocol,
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 30]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
implementation must not initiate a connection when this specification
indicates a particular SMTP server must be considered unreachable.
@@ -1786,22 +1704,14 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
Postfix, and whose advice and feedback were essential to the
development of the Postfix DANE implementation.
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 32]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
13. References
13.1. Normative References
[I-D.ietf-dane-ops]
- Dukhovni, V. and W. Hardaker, "DANE TLSA implementation
- and operational guidance", draft-ietf-dane-ops-00 (work in
- progress), October 2013.
+ Dukhovni, V. and W. Hardaker, "Updates to and Operational
+ Guidance for the DANE Protocol", draft-ietf-dane-ops-06
+ (work in progress), August 2014.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
@@ -1820,6 +1730,14 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
+
+
+
+Dukhovni & Hardaker Expires February 18, 2015 [Page 31]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+
+
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
@@ -1838,18 +1756,6 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
[RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
Extension Definitions", RFC 6066, January 2011.
-
-
-
-
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 33]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
@@ -1879,32 +1785,32 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
13.2. Informative References
[I-D.dukhovni-opportunistic-security]
- Dukhovni, V., "Opportunistic Security: some protection
- most of the time", draft-dukhovni-opportunistic-
- security-01 (work in progress), July 2014.
-
- [I-D.ietf-dane-srv]
- Finch, T., "Using DNS-Based Authentication of Named
- Entities (DANE) TLSA records with SRV and MX records.",
- draft-ietf-dane-srv-02 (work in progress), February 2013.
- [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
- 2009.
- [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
- STD 72, RFC 6409, November 2011.
-Authors' Addresses
+Dukhovni & Hardaker Expires February 18, 2015 [Page 32]
+?
+Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+ Dukhovni, V., "Opportunistic Security: Some Protection
+ Most of the Time", draft-dukhovni-opportunistic-
+ security-03 (work in progress), August 2014.
+ [I-D.ietf-dane-srv]
+ Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
+ Based Authentication of Named Entities (DANE) TLSA Records
+ with SRV Records", draft-ietf-dane-srv-07 (work in
+ progress), July 2014.
+ [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
+ 2009.
-Dukhovni & Hardaker Expires February 3, 2015 [Page 34]
-?
-Internet-Draft SMTP security via opportunistic DANE TLS August 2014
+ [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
+ STD 72, RFC 6409, November 2011.
+Authors' Addresses
Viktor Dukhovni
Two Sigma
@@ -1939,22 +1845,4 @@ Internet-Draft SMTP security via opportunistic DANE TLS August 2014
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Dukhovni & Hardaker Expires February 3, 2015 [Page 35]
+Dukhovni & Hardaker Expires February 18, 2015 [Page 33]
