[ Not replying for Paul, I'm sure he he'll post views separately ]
> On Mar 3, 2018, at 10:21 PM, Eric Rescorla <e...@rtfm.com> wrote:
>
> Paul, can you walk me through the security value of a proof of nonexistence
> here? Perhaps describe an attack that it stops.
My take is:
Non-existence proofs can clear a pinned DANE policy, where a client would
other require ongoing delivery TLSA records (after initially seeing them
from the server). The data would not be pinned, that's what the DNSSEC
signed TLSA records are for.
The attack in question is downgrade to just PKIX (with fraudulently
obtained certificates). Such a downgrade makes PKIX-TA(0) and PKIX-EE(1)
ineffective, and downgrades DANE TlSA to DV certs which are strictly weaker.
Therefore, if the extension were to include an extended pin-TTL, then
denial of existence becomes useful, and indeed the pinning is primarily
a means to make it downgrade-resistant.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
