On Sun, Nov 18, 2018 at 02:30:53PM +0000, Salz, Rich wrote:
> > [ FWIW, TLS is trust-model agnostic, it is the WebPKI that uses the
> usual panoply of CAs. ]
>
> No, it is not agnostic. It does support other trust models -- raw keys,
> PGP web-of-trust -- but it's default and primary model from its inception
> is X509 and its (so ingrained you might consider it implicit) "trust the
> issuer" model. Look at the definitions of certs and CA's and things like
> path validation in PKIX and its predecessors, the "trust anchors" which
> builds on the chain model -- chained through *issuers* -- in the protocol,
> and so on.
[ I don't know why you would choose to argue this point, let's not
confuse TLS with the CA/B forum WebPKI in browsers. My post was
about TLS.
My post was emphatically not an attempt to revive the DANE chain
discussion here, and was not even about DANE, nobody is looking
forward to reopening that discussion here. However, since bashing
DNSSEC is a popular sport, I may for the record, now and then
post corrections to messages that mischaracterize DNSSEC. ]
The X.509 trust-anchors are NOT specified in TLS, and need not be
used. Long before DANE, Postfix supported "fingerprint" authentication,
especially for email submission clients, which bypassed the WebPKI
and never looked at the certificate issuer. Peter Gutmann may
apprise you of similar usage in industrial automation.
> The "usual panoply of CAs" is the WebPKI instantiation of a trust model,
> but do not confuse it with the trust model itself. I have deployed several
> instances of the X509/PKI trust model at work, and none of them use a
> conventional WebPKI set of anchors.
This was explicitly acknowledged and discussed in more detail in
the message you're responding to. Yes, PKIX is not always the
WebPKI, but in practice it typically is.
> If DANE-TLS is to come back, the authors should use a new TLS certificate
> type that is perhaps an X509 structure, but whose trust semantics are
> defined by DANE. The recent IEEE vehicle cert did similar, and all it took
> was a couple of pieces of email.
There is simply no need for that. The existing X.509 encapsultion
works just fine, and makes it possible to transparently interoperate
with both DANE and CA/B forum WebPKI or other PKIX peers.
For clients that can do DNSSEC lookups directly and reliably, DANE
works in TLS with no friction. With DANE-TA(2) and DANE-EE(3) you
get a different trust model, and DANE-TA(2) does use "trust the
issuer", but the ultimately trusted issuer is delivered via DNSSEC
TLSA records.
DANE does not have to "come back". It is in use today, enabling
authenticated SMTP to over 337 thousand email domains and growing:
http://stats.dnssec-tools.org/#graphs
DANE TLS for SMTP is supported by Postfix, Exim, Halon, PowerMTA,
Cisco ESA, ... There are also consumer email providers with millions
of users that employ DANE in both directions: comcast.net, web.de,
gmx.de, freenet.de, ... and more planned.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
