> On Apr 16, 2018, at 4:21 PM, Paul Wouters <p...@nohats.ca> wrote:
>
> This seems dangerous. If an attacker can re-route and get a rogue
> cert, they can set TTL to 0, negating a previously set TTL, without
> requiring proof by presenting the denial-of-existence of the TLSA
> record. That is also a downgrade attack.
>
> How to go from TTL != 0 to TTL == 0 should be specified carefully,
> either in this document or its own document.
I did not spell out all the details, which would belong in the
later pinning specification (some of this was described upthread).
Once a non-zero pin is in place, a pin TTL of 0 would require a
denial of existence proof or a handshake authenticated with extant
TLSA RRs.
> The only known save way of going to TTL == 0 is by presenting DoE of
> TLSA records (but it does bind using the TLS extension to the existence
> of TLSA records)
While some previous TTL has not expired, getting to zero requires either
DoE or TLSA-authenticated handshake with TTL == 0.
But, if we're compromising on (C'), then this discussion becomes out of
scope for the present draft, and will be one of the key design elements
of the future downgrade protection ("pinning") draft.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
