draft-ietf-dane-protocol-01.txt   draft-ietf-dane-protocol-02.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Intended status: Standards Track J. Schlyter Intended status: Standards Track J. Schlyter
Expires: July 12, 2011 Kirei AB Expires: July 19, 2011 Kirei AB
January 8, 2011 January 15, 2011
Using Secure DNS to Associate Certificates with Domain Names For TLS Using Secure DNS to Associate Certificates with Domain Names For TLS
draft-ietf-dane-protocol-01 draft-ietf-dane-protocol-02
Abstract Abstract
TLS and DTLS use certificates for authenticating the server. Users TLS and DTLS use certificates for authenticating the server. Users
want their applications to verify that the certificate provided by want their applications to verify that the certificate provided by
the TLS server is in fact associated with the domain name they the TLS server is in fact associated with the domain name they
expect. Instead of trusting a certification authority to have made expect. Instead of trusting a certification authority to have made
this association correctly, the user might instead trust the this association correctly, the user might instead trust the
authoritative DNS server for the domain name to make that authoritative DNS server for the domain name to make that
association. This document describes how to use secure DNS to association. This document describes how to use secure DNS to
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 12, 2011. This Internet-Draft will expire on July 19, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 19 skipping to change at page 4, line 19
This document defines a new DNS resource record type, "TLSA". A This document defines a new DNS resource record type, "TLSA". A
query on a domain name for the TLSA RR can return one or more records query on a domain name for the TLSA RR can return one or more records
of the type TLSA. The TLSA RRType is TBD. of the type TLSA. The TLSA RRType is TBD.
The format of the data in the resource record is a binary record with The format of the data in the resource record is a binary record with
three values, which MUST be in the order defined here: three values, which MUST be in the order defined here:
o A one-octet value, called "certificate type", specifying the o A one-octet value, called "certificate type", specifying the
provided association that will be used to match the target provided association that will be used to match the target
certificate. The types defined are: certificate. This will be an IANA registry in order to make it
easier to add additional certificate types in the future. The
types defined in this document are:
1 -- Hash of an end-entity certificate 1 -- Hash of an end-entity certificate
2 -- Full end-entity certificate in DER encoding 2 -- Full end-entity certificate in DER encoding
3 -- Hash of an certification authority's certificate 3 -- Hash of an certification authority's certificate
4 -- Full certification authority's certificate in DER encoding 4 -- Full certification authority's certificate in DER encoding
o A one-octet value, called "hash type", specifying the type of hash o A one-octet value, called "hash type", specifying the type of hash
algorithm used for the certificate association. This value has algorithm used for the certificate association. This value is
the same values as those of the TLS hash, as defined in the IANA defined in a new IANA registry. When no hashing is used (that is,
registry titled "TLS HashAlgorithm Registry" in the certificate types where the full certificate is given), the
(<http://www.iana.org/assignments/tls-parameters>). For example, hash type MUST be 0. Using the same hash algorithm as is used in
the value for the SHA-1 hash function is "2". When no hashing is the signature in the certificate will make it more likely that the
used (that is, in the certificate types where the full certificate TLS client will understand this TLSA data.
is given), the hash type is 0. Using the same hash algorithm as
is used in the signature in the certificate will make it more
likely that the TLS client will understand this TLSA data. [[
Note: this is currently being discussed in the WG as issue #4, so
it could change. ]]
o The bytes containing the certificate or the hash of the associated o The "certificate for association". This is the bytes containing
certificate (that is, the certificate or the hash of the the certificate or the hash of the associated certificate (that
certificate itself, not of the TLS ASN.1Cert object). is, the certificate or the hash of the certificate itself, not of
the TLS ASN.1Cert object).
Certificate types 1 through 4 explicitly only apply to PKIX-formatted Certificate types 1 through 4 explicitly only apply to PKIX-formatted
certificates. If TLS allows other formats later, or if extensions to certificates. If TLS allows other formats later, or if extensions to
this protocol are made that accept other formats for certificates, this protocol are made that accept other formats for certificates,
those certificates will need certificate types. [[ Later: maybe make those certificates will need certificate types.
yet-another-probably-never-used IANA registry for certificate types.
]]
2.1. Making Certificate Associations 2.1. Making Certificate Associations
The TLS client determines whether or not the certificate offered by The TLS client determines whether or not the certificate offered by
the TLS server matches the certificate association in the TLSA the TLS server matches the certificate association in the TLSA
resource record. If the certificate from the TLS server matches, the resource record. If the certificate from the TLS server matches, the
TLS client accepts the certificate association. Each certificate TLS client accepts the certificate association. Each certificate
type has a different method for determining matching. type has a different method for determining matching.
For types 1 and 3, the hash used in the comparison is the hash type For types 1 and 3, the hash used in the comparison is the hash type
skipping to change at page 5, line 51 skipping to change at page 5, line 49
[[ Need discussion of self-signed certificates being CA certificates. [[ Need discussion of self-signed certificates being CA certificates.
Need to be sure that this discussion uses correct PKIX terminology Need to be sure that this discussion uses correct PKIX terminology
and is carefully explained. ]] and is carefully explained. ]]
2.2. Presentation Format 2.2. Presentation Format
The RDATA of the presentation format of the TLSA resource record The RDATA of the presentation format of the TLSA resource record
consists of two numbers (certificate and hash type) followed by the consists of two numbers (certificate and hash type) followed by the
bytes containing the certificate or the hash of the associated bytes containing the certificate or the hash of the associated
certificate itself, presented in hex. An example of a hash of an certificate itself, presented in hex. An example of a SHA-256 hash
end-entity certificate: (type 2) of an end-entity certificate (type 1) would be:
www.example.com. IN TLSA ( www.example.com. IN TLSA (
1 2 e77b719d4e9c63c0b0a0333be0a4188e490b618e ) 1 2 5c1502a6549c423be0a0aa9d9a16904de5ef0f5c98
c735fcca79f09230aa7141 )
The use of mnemonics instead of numbers is not allowed. An example of an unhashed (type 0) CA certificate (type 4) would be:
[[ We could consider using Base64 instead of hex. ]] www.example.com. IN TLSA (
4 0 308202c5308201ada00302010202090... )
Because the length of hashes and certificates can be quite long,
presentation format explicitly allows line breaks and white space in
the hex values; those characters are removed when converting to the
wire format.
2.3. Wire Format 2.3. Wire Format
[[ Need to do this, clearly. ]] The wire format is:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert type | Hash type | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
/ /
/ Certificate for association /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The wire format for the RDATA in the first example given above would
be:
www.example.com. IN TYPE65534 \# 34 ( 01025c1502a6549c423be0a0aa
9d9a16904de5ef0f5c98c735fcca79f09230aa7141 )
The wire format for the RDATA in the second example given above would
be:
www.example.com. IN TYPE65534 \# 715 0400308202c5308201ada003020...
3. Use of TLS Certificate Associations in TLS 3. Use of TLS Certificate Associations in TLS
In order to use one or more TLS certificate associations described in In order to use one or more TLS certificate associations described in
this document obtained from the DNS, an application MUST assure that this document obtained from the DNS, an application MUST assure that
the certificates were obtained using DNS protected by DNSSEC. TLSA the certificates were obtained using DNS protected by DNSSEC. TLSA
records must only be trusted if they were obtained from a trusted records must only be trusted if they were obtained from a trusted
source. This could be a localhost DNS resolver answer with the AD source. This could be a localhost DNS resolver answer with the AD
bit set, an inline validating resolver library primed with the proper bit set, an inline validating resolver library primed with the proper
trust anchors, or obtained from a remote nameserver to which one has trust anchors, or obtained from a remote nameserver to which one has
skipping to change at page 8, line 27 skipping to change at page 9, line 10
Some TLS clients extract data from the certificate other than the key Some TLS clients extract data from the certificate other than the key
to show to the user; for example, most modern web browsers have the to show to the user; for example, most modern web browsers have the
ability to show an extended validation (EV) name that is embedded in ability to show an extended validation (EV) name that is embedded in
a certificate. Because this data comes from a trusted third party a certificate. Because this data comes from a trusted third party
and not the TLS server itself, TLS clients that extract additional and not the TLS server itself, TLS clients that extract additional
information from TLS server certificates MUST validate those information from TLS server certificates MUST validate those
certificates in the normal fashion. certificates in the normal fashion.
4. IANA Considerations 4. IANA Considerations
4.1. TLSA RRtype
This document uses a new DNS RRType, TLSA, whose value is TBD. A This document uses a new DNS RRType, TLSA, whose value is TBD. A
separate request for the RRType will be submitted to the expert separate request for the RRType will be submitted to the expert
reviewer, and future versions of this document will have that value reviewer, and future versions of this document will have that value
instead of TBD. instead of TBD.
4.2. TLSA Certificate Types
This document creates a new registry, "Certificate Types for TLSA
Resource Records". The registry policy is "RFC Required". The
initial entries in the registry are:
Value Short description Ref.
-------------------------------------------------------------
0 Reserved [This]
1 Hash of an end-entity cert [This]
2 Full end-entity cert in DER encoding [This]
3 Hash of an CA's cert [This]
4 Full CA's cert in DER encoding [This]
5-254 Unassigned
Applications to the registry can request specific values that have
yet to be assigned.
4.3. TLSA Hash Types
This document creates a new registry, "Hash Types for TLSA Resource
Records". The registry policy is "Specification Required". The
initial entries in the registry are:
Value Short description Ref.
-----------------------------------------------------
0 No hash used [This]
1 SHA-1 NIST FIPS 180-2
2 SHA-256 NIST FIPS 180-2
3 SHA-384 NIST FIPS 180-2
4-254 Unassigned
Applications to the registry can request specific values that have
yet to be assigned.
5. Security Considerations 5. Security Considerations
The security of the protocols described in this document relies on The security of the protocols described in this document relies on
the security of DNSSEC as used by the client requesting A and TLSA the security of DNSSEC as used by the client requesting A and TLSA
records. records.
A DNS administrator who goes rogue and changes both the A and TLSA A DNS administrator who goes rogue and changes both the A and TLSA
records for a domain name can cause the user to go to an unauthorized records for a domain name can cause the user to go to an unauthorized
server that will appear authorized, unless the client performs server that will appear authorized, unless the client performs
certificate validation and rejects the certificate. That certificate validation and rejects the certificate. That
skipping to change at page 9, line 19 skipping to change at page 10, line 38
zone is weaker than the authentication mechanism for changing the zone is weaker than the authentication mechanism for changing the
A/AAAA records, a man-in-the-middle who can redirect traffic to their A/AAAA records, a man-in-the-middle who can redirect traffic to their
site may be able to impersonate the attacked host in TLS if they can site may be able to impersonate the attacked host in TLS if they can
use the weaker authentication mechanism. A better design for use the weaker authentication mechanism. A better design for
authenticating DNS would be to have the same level of authentication authenticating DNS would be to have the same level of authentication
used for all DNS additions and changes for a particular host. used for all DNS additions and changes for a particular host.
[[ Add discussion of the idea that TLSA makes things worse if an [[ Add discussion of the idea that TLSA makes things worse if an
intermediate CA is compromised. Need more from Stephen Farrell. ]] intermediate CA is compromised. Need more from Stephen Farrell. ]]
[[ Add discussion of length check to avoid potential issues with
appended data. Need more from Carl Wallace. ]]
6. Acknowledgements 6. Acknowledgements
Many of the ideas in this document have been discussed over many Many of the ideas in this document have been discussed over many
years. More recently, the ideas have been discussed by the authors years. More recently, the ideas have been discussed by the authors
and others in a more focused fashion. In particular, some of the and others in a more focused fashion. In particular, some of the
ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges, ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges,
Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley,
Ilari Liusvaara, and Ondrej Sury. Ilari Liusvaara, and Ondrej Sury.
7. References 7. References
 End of changes. 15 change blocks. 
33 lines changed or deleted 90 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/