> On Apr 16, 2018, at 4:21 PM, Paul Wouters <p...@nohats.ca> wrote: > > This seems dangerous. If an attacker can re-route and get a rogue > cert, they can set TTL to 0, negating a previously set TTL, without > requiring proof by presenting the denial-of-existence of the TLSA > record. That is also a downgrade attack. > > How to go from TTL != 0 to TTL == 0 should be specified carefully, > either in this document or its own document.
I did not spell out all the details, which would belong in the later pinning specification (some of this was described upthread). Once a non-zero pin is in place, a pin TTL of 0 would require a denial of existence proof or a handshake authenticated with extant TLSA RRs. > The only known save way of going to TTL == 0 is by presenting DoE of > TLSA records (but it does bind using the TLS extension to the existence > of TLSA records) While some previous TTL has not expired, getting to zero requires either DoE or TLSA-authenticated handshake with TTL == 0. But, if we're compromising on (C'), then this discussion becomes out of scope for the present draft, and will be one of the key design elements of the future downgrade protection ("pinning") draft. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls