> There's nothing to be gained by publishing SCTs in self-issued DANE-EE
> validated certificates. Are you proposing to make SCTs mandatory in
> DANE? Which user agents would insist on such SCTs and why? If not,
> what problem would optionally including them solve?
Yes, primarily for browser user agents.
See below on use cases/problems.
> Note also that the "expiration" date of DANE-EE certificates is ignored,
> the freshness of the key binding is attested via the TLSA record RRSIG,
> rather than the dates in the certificate. The proposed 90-day limits on
> "certificate lifetime" are antithetical to DANE-EE.
Noted and understood, although not sure I agree the certificate expiry should
be ignored. What happens if I put a TLSA record for a CA certificate that then
traditionally expires? Would user agents be expected to fall-back to using the
RRSIG freshness?
> In principle (I am not tracking whether there are extant
implementations), DANE-EE even supports TLS with RFC 7250 "raw public
> keys", where there are no certificate at all!
Huh, interesting - will look into, thanks.
I hadn't come across DNSSEC-Transparency so that probably covers a lot/all of
the following, however I think it's worth considering CT log incorporation as
that ecosystem is well established and the adoption of self-signed certificates
(SSCs) would likely require little revision by monitors/user agents etc.
Consider the following use cases/user stories (U) and how (H) I believe
inclusion of SSCs to CT logs can support alongside CA certificates (CACs):
1.U: As a user agent, I want to prevent users from accessing potentially
malicious versions of a website so that I can protect users from harm.
1.H: If presented with an SSC the user agent would require TLSA records and a
complete DNSSEC chain and for the presence of an SCT for checking a CT log,
doing those increases the level of assurance that the presented SSC is valid
for the given website. If only one is valid, then some misissuance could have
occured and a block or warning could be displayed to the user.
2.U: As a website operator, I want to monitor for certificates (intended to be
trusted by user agents) issued for my known domain so that I can look for any
misissuance to protect my end users against malicious versions.
2.H: Website operators could implement direct monitoring against a domain to
check the presented certificate (SSC or CAC) but what if a different network is
presenting something differently to other users - monitoring of CT logs that an
SSC has been issued (where as in 1. user agents require to not show
warning/block) could alert me to misissuance and that some of my users may
be/being targeted by some sort of (person-in-the-middle) attack where I can
look to mitigate/notify users.
3.U: As an organisation ("example.com") with many domains and websites, I want
to monitor for certificates issued against one of my brands so that I can
investigate and look for potentially malicious versions of my websites to
mitigate like creating takedown requests or adding to blocklists.
3.H: As with 2., direct monitoring could be done but that relies on me already
knowing about an asset or domain. If I could look for "*.example.*" or
"example.*" or "exampl3.*" in CT logs (either SSC or CAC) to identify domains I
didn't know about previously, I could investigate if they're a potentially
malicious version.
4.U: As a website operator, I want to check my certificates for imminent expiry
so that I can act on renewing or fixing the automated process before users are
presented with an error.
4.H: I could use a monitoring service that looks at CT logs where SSCs or CACs
are inventoried and checked for soon-to-be expired certificates, where I'd
receive a notification about them.
5.U: As an enterprise with many domains and websites, I want to monitor for
certificates issued against my domains so that I can investigate and look for
potential shadow IT to ensure compliance and increase efficiencies.
5.H: I could use a monitoring service to identify domains and ensure they're
part of my policies (e.g. must be in a CMDB or I only want SSCs or CACs to be
used).
Some additional thoughts:
- perhaps we could have "Expect-CT: 2" to designate a SSC vs current "1" for a
CAC for user agents to handle differently
- perhaps we could have a CAA flag for no CA but DANE:
example.com. IN CAA 0 issue "; tlsa=1"
Thanks,
Ollie___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
