One document matched: draft-ietf-dane-protocol-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc4025 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4025.xml">
<!ENTITY rfc4033 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml">
<!ENTITY rfc4034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4034.xml">
<!ENTITY rfc4035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4035.xml">
<!ENTITY rfc4255 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4255.xml">
<!ENTITY rfc5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc5280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict='yes'?>
<?rfc toc="no" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc strict="no" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc ipr="trust200902"
docName="draft-ietf-dane-protocol-00"
category="std"
>
<front>
<title abbrev="DNS Cert Linkage for TLS">
Using Secure DNS to Associate Certificates with Domain Names For TLS</title>
<author initials='P.' surname="Hoffman" fullname='Paul Hoffman'>
<organization>VPN Consortium</organization>
<address>
<email>paul.hoffman@vpnc.org</email>
</address>
</author>
<author initials="J." surname="Schlyter" fullname="Jakob Schlyter">
<organization>Kirei AB</organization>
<address>
<email>jakob@kirei.se</email>
</address>
</author>
<date month="December" year="2010"/>
<abstract>
<t>TLS and DTLS use certificates for authenticating the server. Users want
their applications to verify that the certificate provided by the TLS server
is in fact associated with the domain name they expect. Instead of trusting a
certification authority to have made this association correctly, the user
might instead trust the authoritative DNS server for the domain name to make
that association. This document describes how to use secure DNS to associate
the TLS server's certificate with the the intended domain name.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>The first response from the server in TLS may contain a certificate. In
order for the TLS client to authenticate that it is talking to the expected
TLS server, the client must validate that this certificate is associated with
the domain name used by the client to get to the server. Currently, the client
must extract the domain name from the certificate, must trust a trust anchor
upon which the server's certificate is rooted, and must successfully validate
the certificate.</t>
<t>Some people want a different way to authenticate the association of the
server's certificate with the intended domain name without trusting the CA.
Given that the DNS administrator for a domain name is authorized to give
identifying information about the zone, it makes sense to allow that
administrator to also make an authoritative binding between the domain name
and a certificate that might be used by a host at that domain name. The
easiest way to do this is to use the DNS.</t>
<t>This document applies to both TLS <xref target='RFC5246'/> and DTLS <xref
target='4347bis'/>. In order to make the document more readable, it mostly
only talks about "TLS", but in all cases, it means "TLS or DTLS". This
document only relates to securely associating certificates for TLS and DTLS
with host names; other security protocols are handled in other documents. For
example, keys for IPsec are covered in <xref target='RFC4025'/> and keys for
SSH are covered in <xref target='RFC4255'/>.</t>
<section title="Certificate Associations">
<t>In this document, a certificate association is based on a cryptographic
hash of a certificate (sometimes called a "fingerprint") or on the certificate
itself. For a fingerprint, a hash is taken of the certificate, and that hash
is the certificate association; the type of hash function used can be chosen
by the DNS administrator. When using the certificate itself in the certificate
association, the entire certificate in the normal format is used. This
document also only applies to PKIX <xref target="RFC5280"/> certificates.</t>
<t>Certificate associations are made between a certificate or the hash of a
certificate and a domain name. Server software that is running TLS that is
found at that domain name would use a certificate that has a certificate
association given in the DNS, as described in this document. A DNS query can
return multiple certificate associations, such as in the case of different
server software on a single host using different certificates (even if they
are normally accessed with different host names), or in the case that a server
is changing from one certificate to another.</t>
</section>
<section title="Securing Certificate Associations">
<t>This document defines a secure method to associate the certificate that is
obtained from the TLS server with a domain name using DNS protected by DNSSEC.
Because the certificate association was retrieved based on a DNS query, the
domain name in the query is by definition associated with the certificate.</t>
<t>DNSSEC, which is defined in RFCs 4033, 4034, and 4035 (<xref
target='RFC4033'/>, <xref target='RFC4034'/>, and <xref target='RFC4035'/>),
uses cryptographic keys and digital signatures to provide authentication of
DNS data. Information retrieved from the DNS and that is validated using
DNSSEC is thereby proved to be the authoritative data. The DNSSEC signature
MUST be validated on all responses in order to assure the proof of origin of
the data.</t>
<t>This document only relates to securely getting the DNS information for the
certificate association using DNSSEC; other secure DNS mechanisms are out of
scope.</t>
</section>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in RFC 2119 <xref target='RFC2119'/>.</t>
<t>A note on terminology: Some people have said that this protocol is a form
of "certificate exclusion". This is true, but in a very unusual sense. That
is, a DNS reply that contains two of the certificate types defined here
inherently excludes every other possible certificate in the universe other
than those found with a pre-image attack against one of those two. The
certificate type defined here is better thought of as "enumeration" of a small
number of certificate associations, not "exclusion" of a near-infinite number
of other certificates.</t>
<t>Some of the terminology in this -00 draft may not match with the
terminology used in RFC 5280. This will be fixed in future versions of this
draft, with help from the PKIX community.</t>
</section>
</section>
<section title="Getting TLS Certificate Associations from the DNS">
<t>This document defines a new DNS resource record type, "TLSA". A query on a
domain name for the TLSA RR can return one or more records of the type TLSA.
The TLSA RRType is TBD.</t>
<t>The format of the data in the resource record is a binary record with three
values, which MUST be in the order defined here:</t>
<t><list style='symbols'>
<t>A one-octet value, called "certificate type", specifying the provided
association that will be used to match the target certificate. The types
defined are:
<list style='empty'>
<t>1 -- Hash of an end-entity certificate</t>
<t>2 -- Full end-entity certificate</t>
<t>3 -- Hash of an certification authority's certificate</t>
<t>4 -- Full certification authority's certificate</t>
</list></t>
<t>A one-octet value, called "hash type", specifying the type of hash
algorithm used for the certificate association. This value has the same values
as those of the TLS hash, as defined in the IANA registry titled "TLS
HashAlgorithm Registry"
(<http://www.iana.org/assignments/tls-parameters>). For example, the
value for the SHA-1 hash function is "2". When no hashing is used (that is, in
the certificate types where the full certificate is given), the hash type is
0. Using the same hash algorithm as is used in the signature in the
certificate will make it more likely that the TLS client will understand this
TLSA data.</t>
<t>A variable-length set of bytes containing the certificate or the hash of
the associated certificate (that is, the certificate or the hash of the
certificate itself, not of the TLS ASN.1Cert object).</t>
</list></t>
<t>An example of a hash for a single certificate:
<figure><artwork><![CDATA[
www.example.com. IN TLSA 1 2 AgHne3GdTpxjwLCgMzvgpBiOSQthjg==
]]></artwork></figure></t>
<section title="Making Certificate Associations">
<t>The TLS client determines whether or not the certificate offered by the TLS
server matches the certificate association in the TLSA resource record. If the
certificate from the TLS server matches, the TLS client accepts the
certificate association. Each certificate type has a different method for
determining matching.</t>
<t>For types 1 and 3, the hash used in the comparison is the hash type from
the TLSA data.</t>
<t>Types 1 (hash of an end-entity certificate) and 2 (full end-entity
certificate) are matched against the first certificate offered by the TLS
server. For type 1, the certificate association is valid if the hash of the
first certificate offered by the TLS server matches the value from the
resource record. For type 2, the certificate association is valid if the
certificate in the TLSA data matches to the first certificate offered by
TLS.</t>
<t>Type 3 (hash of certification authority's certificate) can be used in one
of two ways. If the hash of any certificate past the first in the certificate
bundle from TLS matches the value from the TLSA data, and the chain in the
certificate bundle is valid up to that certificate, then the certificate
association is valid. Alternately, if the first certificate offered chains to
a trust anchor, and the hash of that trust anchor matches the value from the
TLSA data, then the certificate association is valid.</t>
<t>Type 4 (full certification authority's certificate) is used in chaining
from the end-entity given in TLS. The certificate association is valid if the
first certificate in the certificate bundle can be validly chained to the
certificate from the TLSA data.</t>
</section>
</section>
<section title="Use of TLS Certificate Associations in TLS">
<t>In order to use one or more TLS certificate associations described in this
document obtained from the DNS, an application MUST assure that the
certificates were obtained using DNS protected by DNSSEC.</t>
<t>If a certificate association contains a hash type that is not understood by
the TLS client, that certificate association MUST be marked as unusable.</t>
<t>An application that requests TLS certificate associations using the method
described in this document obtains zero or more usable certificate
associations. If the application receives zero usable certificate
associations, it processes TLS in the normal fashion.</t>
<t>If a match between one of the certificate association(s) and the server's
end entity certificate in TLS is found, the TLS client continues the TLS
handshake. If a match between the certificate association(s) and the server's
end entity certificate in TLS is not found, the TLS client MUST abort the
handshake with an "access_denied" error.</t>
<section title="Certificate Validation by TLS Clients When Using Certificate
Associations">
<t>TLS client policy is deliberately not prescribed by this specification. A
client MAY choose to trust a DNSSEC-secured certificate association, depending
on its local policy.</t>
<t>[[ The preceding paragraph is probably wrong in the sense that it means
that we now hove no conformance requirements. There is probably no reason to
even use this protocol unless you are going to fully trust the results. The
one exception that has been discussed is that you might want to use the TLSA
data as a "second positive opinion", such as in a GUI or in logging. Both of
those seem fairly useless in the case of DNS resolution. Thus, the above
paragraph may be changed by the WG in a future version of this draft. ]]</t>
<section title="Use of Self-Signed Certificates">
<t>One expected use case for this protocol is that some TLS servers will begin
to use self-signed certificates in association with certificate associations.
A TLS client that is using this protocol needs to treat self-signed
certificates as special, and thus SHOULD NOT attempt certificate validation on
them. (An exception to this rule would be clients that keep self-signed end
entity certificates in its trust anchor store.) </t>
</section>
<section title="Ignorning Host Names in Certificates">
<t>All data in a self-signed certificate other than the key itself can be
ignored as untrusted unless a client validates the self-signed certificate to
a trust anchor that is identical to the certificate. That means that the host
name given in the self-signed certificate is meaningless, and that the only
way to associate the public key in the certificate with the domain name is
through the certificate association made in the DNS.</t>
<t>If a TLS client fully trusts the association between a domain name and the
certificate that was provided by the DNS, then that client MUST ignore the
domain name that is given in the certificate. That is, the certificate might
contain a domain name that is different than the one that was used to get the
TLSA data, but if the client is trusting the TLSA data, it doesn't matter what
domain name is used in the certificate. An expected use case for this protocol
is to allow someone who controls the private key on a certificate to use that
certificate for multiple TLS servers. These servers might be on a single
computer that has many domain names (such as a computer that is both a web
host and a mail host, and is known by both "www.example.com" and
"smtp.example.com"), or they might be on different computers (such as multiple
computers that all respond IP addresses reachable as "www.example.com").</t>
</section>
<section title="Use of Local Trust Anchors">
<t>Another expected use case for this protocol is that some TLS servers will
use certificates that chain to a trust anchor that might not be one that is
trusted by the TLS client, such as a local certification authority (CA) that
is administered by the organization that runs the TLS server; this is a likely
use for certificate types 3 and 4. Because of this, a TLS client that is using
this protocol that performs certificate validation on server certificates MAY
have a method to communicate with the user that differentiates between
validation failures that occur on certificates that have had secure
certificate associations and those that have not. If it does not have such a
method of communication, the failure to validate SHOULD cause the same error
as for any other certificate validation.</t>
</section>
<section title="Use of Additional Certificate Data">
<t>Some TLS clients extract data from the certificate other than the key to
show to the user; for example, most modern web browsers have the ability to
show an extended validation (EV) name that is embedded in a certificate.
Because this data comes from a trusted third party and not the TLS server
itself, TLS clients that extract additional information from TLS server
certificates MUST validate those certificates in the normal fashion.</t>
</section>
</section>
</section>
<section title='IANA Considerations'>
<t>This document uses a new DNS RRType, TLSA, whose value is TBD. A separate
request for the RRType will be submitted to the expert reviewer, and future
versions of this document will have that value instead of TBD.</t>
</section>
<section title='Security Considerations'>
<t>The security of the protocols described in this document relies on the
security of DNSSEC as used by the client requesting A and TLSA records.</t>
<t>A DNS administrator who goes rogue and changes both the A and TLSA records
for a domain name can cause the user to go to an unauthorized server that will
appear authorized, unless the client performs certificate validation and
rejects the certificate.</t>
<t>The values in the TLSA data will be normally entered in the DNS through the
same system used to enter A/AAAA records, and other DNS information for the
host name. If the authentication for changes to the host information is weak,
an attacker can easily change any of this information. Given that the TLSA
data is not easily human-readable, an attacker might change those records and
A/AAAA records and not have the change be noticed if changes to a zone are
only monitored visually.</t>
<t>If the authentication mechanism for adding or changing TLSA data in a zone
is weaker than the authentication mechanism for changing the A/AAAA records,
an man-in-the-middle who can redirect traffic to their site may be able to
impersonate the attacked host in TLS if they can use the weaker authentication
mechanism. A better design for authenticating DNS would be to have the same
level of authentication used for all DNS additions and changes for a
particular host.</t>
</section>
<section title='Acknowledgements'>
<t>Many of the ideas in this document have been discussed over many years.
More recently, the ideas have been discussed by the authors and others in a
more focused fashion. In particular, some of the ideas here originated with
Paul Vixie, Dan Kaminsky, Jeff Hodges, Phill Hallam-Baker, Simon Josefsson,
Warren Kumari, Adam Langley, Ilari Liusvaara, and Ondrej Sury.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc4033;
&rfc4034;
&rfc4035;
&rfc5246;
&rfc5280;
<reference anchor='4347bis'>
<front>
<title>Datagram Transport Layer Security version 1.2</title>
<author initials='E.' surname='Rescorla' fullname='Eric Rescorla'>
<organization /></author>
<author initials='N.' surname='Modadugu' fullname='Nagendra Modadugu'>
<organization /></author>
<date year='2010' month='July' />
</front>
<seriesInfo name='Internet-Draft' value='draft-ietf-tls-rfc4347-bis' />
</reference>
</references>
<references title="Informative References">
&rfc4025;
&rfc4255;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 14:17:55 |