On Sun, Mar 01, 2015 at 08:37:04PM +0100, Michael Str?der wrote:
Viktor Dukhovni wrote:
The two models coexist seamlessly, and many existing DANE SMTP sites use certificates from a public CA.
But you switch off X.509 validation if DANE is used.
Because server-signalled mandatory use of (some unspecified set of) public CA trust-anchors can only reduce interoperability and cannot contribute to security.
I'd like to see DNSSEC/DANE/TLSA as an *additional* mechanism but still requiring X.509 validation to be fully performed. With this multiple trust anchors would be effective which is IMO the real solution.
This is sloppy wishful thinking. You've not considered the security model carefully enough. It would sure be nice if using both gave you more security and reduced the chance of failure. Unfortunately, this would give you no additional security and would needlessly increase the chance of failure.
Since a compromise of DNS would allow the attacker to publish DANE-EE(3) records of his choice, the "requirement" to "harden" DANE with (some unspecified set of) public CAs is subject to a trivial DNS-only downgrade. So the security of this reduces to the security of DANE without the (unspecified) public CAs.
On the other hand, including the requirement to also use said CAs introduces significant opportunities for authentication to fail because the client does not have the server's chosen root CA in its trusted CA list, or the client has difficultly building the trust path for various reasons. There is no user to "click OK" in MTA-to-MTA SMTP when the Web PKI fails (as it does too frequently).