The SMTP draft specifies a digest algorithm agility protocol for DANE.
In this thread it would be helpful to arrive at consensus around
the proposal, or a modified proposal if a better approach is
suggested. Once that's settled, we can briefly touch on which document
is the right home for this protocol.
Goal:
* It should be possible for servers to publish TLSA records
employing multiple digest algorithms allowing clients to
choose the best mutually supported digest.
Important barrier:
* When two or more distinct objects (multiple certificates or multiple
public keys) are published in TLSA records with multiple
digest algorithms, it is not possible based on the TLSA records
alone to partition the records by object instance, combining
related records that are merely different digests of the same
underlying object.
* What this means is that clients can't tell whether ignoring all
the records for a given weaker digest does not result in
leaving out some objects which are only present with that
digest.
Design:
* The burden of making it safe to disregard records with deprecated or
in any case less preferred digest algorithms is placed on the TLSA
record publisher.
* If for each given usage and selector, each published object that
appears with a non-zero (i.e. a digest) matching type appears with
the *same set* of digests as all other objects with that usage and
selector, then it is definitely safe for clients to disregard all
records except those with strongest (per client configuration)
algorithm.
* The server MUST employ this approach to publishing its records.
* The client SHOULD employ digest algorithm agility by ignoring
all but the strongest non-zero digest for each usage/selector
combination. Note, records with matching type zero play no
role in digest algorithm agility.
Open issue:
* Suppose the server records are clearly in violation of the
requirement, because the number of records for one of the
digest algorithms is strictly greater than the (non-zero)
number of records for some other algorithm.
Should the client apply the agility algorithm anyway (server
is to blame if this is not safe)? Or should it avoid using
digest agility in this case?
Note, avoiding the algorithm does not solve all possible
problems. The digest values could be mistranscribed, or
even though the counts are the same, the sets of underlying
objects for some pair of algorithms might still not be
identical.
Larger question:
* Is this the right agility protocol? It seems to me to be
roughly the best we can do given the structure of TLSA
records.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
