[Top] [All Lists]

Re: draft-fanf-dane-smtp

2012-05-30 16:58:24

Mark Andrews wrote:

My question is:

If the client has to be modified to do this extra TLSA check, then why not just add login to do a CA 3rd party repository? Or support OCSP (Online Certificate Status Protocol) RFC2560?

OCSP is for when the CA knows the CERT is compromised.
TLSA, mode X, is to detect mis-issued CERT by some CA.

Different threat models.

OCSP are sometimes unreachable even when you have the address and CERT.
TLSA records will almost always be available if you can retrieve the address
as they live below the address in the DNS and are usually in the same zone.

Different failure models.

Yes, but its always been used for whatever the CA responds with and whatever the client decides to do as a negative response, but as the modus operandi has been, a positive response has "trust value." I've seen it used in cases where a browser check provides a perfect SSL resolution, but with modern browsers having OCSP enabled now, it will provide a failure/security notification to the user. In the case I recall, a big national chain store purchased a set of wildcard domains, then wanted to add more the same day, and there was a revocation issue that failure when OCSP was enabled.

So I guess that all falls under a "compromise" threat/failure window.

When change is proposed, then it has to have a payoff. A client trusting a self-signed signature is going to be pre-defined or pre-arranged or known upfront.

TLSA, mode Y, allows you to trust the self signed CERT by providing
a verifiable secure chain of trust back to a DNS trust anchor rather
than a CA trust anchor.

Thanks for your comments.

At best, this proposal offers an easier protocol. But its not ready for prime time until the DNS servers better support unnamed types and across the OS platform board.

I think we would like a SMTP/TLS model where clients support/service the CA market, in the same way Browsers do for SSL/TLS certificates. I can see an SMTP Server Extension that offers service keywords for the level of enforcement. This may answer one of the lingering questions the DANE-SMTP drafts states that the server has no way to know the client has looked up a TLSA record.


<Prev in Thread] Current Thread [Next in Thread>