Postfix DANE support for Certificate Usage = 0/1?

Kevin San Diego ksandiego at cloudmark.com
Tue Feb 24 00:23:07 CET 2015 

> -----Original Message-----
> From: dane-users-bounces at sys4.de [mailto:dane-users-bounces at sys4.de]
> On Behalf Of Viktor Dukhovni
> Sent: Monday, February 23, 2015 2:32 PM
> To: dane-users at sys4.de
> Subject: Re: Postfix DANE support for Certificate Usage = 0/1?
> 
> On Mon, Feb 23, 2015 at 09:29:07PM +0000, Kevin San Diego wrote:
> 
> > I'm trying to get to speed on the DANE implementation in Postfix, it
> > appears to support only DANE certificate usage 2 (Trust anchor assertion)
> > and 3 (Domain-issued certificate). Is there a particular reason why the
> > public CA-signed certificate types wouldn't be supported as these are more
> > likely (as of today, at least) to be installed on business and commercial
> > platforms?
> 
>     https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-
> 3.1.3

Thank you for the quick reply!

The "no added security" bit makes some sense in the context of a compromised DNS environment, but this doesn't really address how an organization who currently utilizes public CA-certs is supposed to intermix their existing TLS SMTP client usage with self-signed/DNS-hosted certs in a TLSA record. By stating usage mode 0 & 1 should be considered unusable, it seems to me that a company would need to choose between sticking with their current legacy opportunistic/site-specific forced TLS and moving to the DANE-EE model. For the types of customers who already have to have public CA-cert validated SMTP communications (and associated accept on validation success/drop on validation failure policy set up with critical partners), the currently deployed field of MTAs which don't yet have SMTP client support for DANE at the won't be able to validate the TLS session if a DANE EE cert is used in lieu. Given that MX records point to a specific host or set of hosts on a per domain basis, I presently don't see how an organization could simultaneously support both traditional CA-cert validated TLS connections and TLSA (mode 2/3) validated TLS connections. Receiving SMTP servers can typically only be configured with a single server certificate per IP/port binding.

Perhaps I've missed something?

>     https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-
> 3.1.1
>     https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-
> 3.1.2
>     https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-
> 1.3.2
> 
> > Extract from http://www.postfix.org/TLS_README.html#client_tls_dane:
> 
> > "The Postfix SMTP client supports only certificate usages "2" and "3"
> > (with "1" treated as though it were "3"). See
> tls_dane_trust_anchor_digest_enable
> > for usage "2" usability considerations.  Support for certificate usage "1" is
> > an experiment, it may be withdrawn in the future. Server operators
> SHOULD NOT
> > publish TLSA records with usage "1"."
> 
> The support for usage "1" simply pretends that the server operator
> published the right server certificate digest with the wrong usage
> and treats "1" as though it were "3".
> 

Sincerely,

Kevin San Diego

More information about the dane-users mailing list