-----Original Message----- From: dane-users-bounces@sys4.de [mailto:dane-users-bounces@sys4.de] On Behalf Of Viktor Dukhovni Sent: Monday, February 23, 2015 2:32 PM To: dane-users@sys4.de Subject: Re: Postfix DANE support for Certificate Usage = 0/1?
On Mon, Feb 23, 2015 at 09:29:07PM +0000, Kevin San Diego wrote:
I'm trying to get to speed on the DANE implementation in Postfix, it appears to support only DANE certificate usage 2 (Trust anchor assertion) and 3 (Domain-issued certificate). Is there a particular reason why the public CA-signed certificate types wouldn't be supported as these are more likely (as of today, at least) to be installed on business and commercial platforms?
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-
3.1.3
Thank you for the quick reply!
The "no added security" bit makes some sense in the context of a compromised DNS environment, but this doesn't really address how an organization who currently utilizes public CA-certs is supposed to intermix their existing TLS SMTP client usage with self-signed/DNS-hosted certs in a TLSA record. By stating usage mode 0 & 1 should be considered unusable, it seems to me that a company would need to choose between sticking with their current legacy opportunistic/site-specific forced TLS and moving to the DANE-EE model. For the types of customers who already have to have public CA-cert validated SMTP communications (and associated accept on validation success/drop on validation failure policy set up with critical partners), the currently deployed field of MTAs which don't yet have SMTP client support for DANE at the won't be able to validate the TLS session if a DANE EE cert is used in lieu. Given that MX records point to a specific host or set of hosts on a per domain basis, I presently don't see how an organization could simultaneously support both traditional CA-cert validated TLS connections and TLSA (mode 2/3) validated TLS connections. Receiving SMTP servers can typically only be configured with a single server certificate per IP/port binding.
Perhaps I've missed something?
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-
3.1.1 https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section- 3.1.2 https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section- 1.3.2
Extract from http://www.postfix.org/TLS_README.html#client_tls_dane:
"The Postfix SMTP client supports only certificate usages "2" and "3" (with "1" treated as though it were "3"). See
tls_dane_trust_anchor_digest_enable
for usage "2" usability considerations. Support for certificate usage "1" is an experiment, it may be withdrawn in the future. Server operators
SHOULD NOT
publish TLSA records with usage "1"."
The support for usage "1" simply pretends that the server operator published the right server certificate digest with the wrong usage and treats "1" as though it were "3".
Sincerely,
Kevin San Diego