Re: [dane] Digest Algorithm Agility discussion

Mon, 24 Mar 2014 08:34:12 -0700 

On Mon, Mar 24, 2014 at 10:54:35AM -0400, Paul Wouters wrote:

> On Sun, 23 Mar 2014, Viktor Dukhovni wrote:
> 
> >when the TLSA records are entirely unusable, and in keeping with Tony's
> >original work on the SRV draft, the client reverts to legacy
> >mandatory (practically always unauthenticated) TLS.
> 
> That's unfortunate. Perhaps it depends on the definition of "unusable",
> but if all TLSA records for instance fail the RRSIG validation, I would
> hope that Postfix would abort delivery attempts and definitely _not_
> fall back to unauthenticated TLS.

Unusable is quite different from "fails validation".  When "usable"
records are found, but none match (all fail validation), delivery
is aborted.

The "unusable" case is when at least one of the TLSA *parameters*
is unsupported, the digest value has an impossible length, or a full
value is malformed:

    example.com. IN TLSA ???(50) SPKI(1) SHA2-512(2) {hex for 64-byte blob}
    example.com. IN TLSA DANE-EE(3) ???(2) SHA2-512(2) {hex for 64-byte blob}
    example.com. IN TLSA DANE-EE(3) SPKI(1) ???(3) {hex for 64-byte blob}
    example.com. IN TLSA DANE-EE(3) SPKI(1) SHA2-512(2) {hex for 32-byte blob}
    example.com. IN TLSA DANE-EE(3) SPKI(1) Full(0) {not ASN.1 of SPKI}
    example.com. IN TLSA DANE-EE(3) Cert(0) Full(0) {not ASN.1 of X.509 cert}

If all records are "unusable", Postfix falls back to unauthenticated TLS.

The administrator may be in a position to configure Postfix to
"test-drive" "DANE TLS" in a mode where validation failures are
tolerated and logged (DANE audit rather than enforcement), but
that's quite different from ignoring validation failures.

The default (when DANE TLS is enabled) is "enforce".  Support for
"audit" mode is under development, and is not DANE TLS specific.
It supports audited fallback from all verified (authenticated) TLS 
policies to either enforced unauthenticated TLS, or even just plain
opportunistic TLS (with cleartext fallback).  In all cases failure
to arrive at the desired security state is logged.

-- 
        Viktor.

_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane

Reply via email to