On Tue, Mar 05, 2013 at 01:45:49PM -0500, Andrew Sullivan wrote:
> On Tue, Mar 05, 2013 at 06:29:26PM +0000, Viktor Dukhovni wrote:
> > Lemma. If the attacker has compomised the DNS to the extent that
> > he can sign new RRsets that the domain owner never signed, he wins,
> > whether the client checks names or not.
>
> If the attacker actually has control of the domain, all bets are off.
> I fail to see how this is an interesting case.
It is not, we agree, I am ruling it out for the record.
My argument boils down to:
- If the domain owner never generates TLSA 1 records for end-entity
certs whose name does not match the <fqdn> in:
_port._proto.<fqdn> IN TLSA 1 ...
the the client check never fails and is therefore redundant (for
those domains).
- If the domain owner does generate an authentically signed
a TLSA 1 record:
_port._proto.<fqdn> IN TLSA 1 ...
with <fqdn> nowhere to be found in the cert, we should take the
the domain owner at his word. There's no attacker here, just a
domain owner who wants to bind an existing end-entity certificate
to a new host, he chooses 1 rather than 3, as he believes that
the CA he paid money adds some value via e.g. OCSP support allowing
the certificate to be revoked. (As noted in a parallel thread there
is no revocation for TLSA).
The choice should be up to the server owner, and there is no reason
for the client (really clients collectively by enforcing name checks
in sufficient numbers) to take away this choice. The domain owner can
still make the choice by never binding mismatched names. I claim that's
where the choice ought to be made.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
