Document: draft-davey-tls-braid-00.txt

George,

I've given this a quick look. The TL;DR is that I do not think that
this is a viable proposal, for several reasons.

The most important reason is that I don't think it really addresses
the operational issues that people have with short-lived certificates,
which mostly have to do with the need to automate renewal. In this
design, you still need to automate renewal, not of the certificate
itself, but of the rest of the evidence (the DC, witnesses,
etc.). It's not clear to me why this is any better. Moreover, as long
as this is not universal (which strikes me as very unlikely), peeople
will still have to use short-lived certificates for clients which
don't support BRAID, at which point they have both operational
burdens.

Second, this seems to me to have a number of technical drawbacks
that have appeared with other related mechanisms. Specifically:

- Like TLSA, it depends on DNSSEC, and as a practical matter requires
  client-side validation. This is already something we know that
  end-user clients have no appetite for, and what measurements we have
  indicate that failure rates will be unacceptably high. I know you
  mention an HSTS-like mechanism, but this only provides reasonable
  security on second impression, which isn't very good for something
  this heavyweight.

- Because you have to deploy supplemental (non-certificate) data, you
  have the problem of either updating the server to serve it (roughly
  isomorphic to OCSP stapling and must-staple) or serving it from some
  other public endpoint (roughly isomorphic to OCSP). This seems
  likely to have the same problems we have seen with those mechanisms.

Finally, I would note that you could achieve at least some of the
properties you are proposing here with existing
mechanisms. Specifically, if DNSSEC *is* viable as a means of serving
this kind of information, then you can simply use TLSA directly with
the EE certificate with certificate usage 1, and then just stop
serving the TLSA record directly. This is much simpler than what you
are proposing and is at least conceptually available now, so the fact
that it is not widely deployed suggests that BRAID will also not be
widely deployed.

-Ekr
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to