DANE-TA(2) private CAs and SHA-1

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jul 13 09:22:20 CEST 2018

By using DANE-TA(2) TLSA records you can associate your SMTP server
with a either a public or private (your own) issuer CA.  This can
simplify the management of TLSA records of multiple MX hosts by
using a CNAME to a common location where you publish the shared CA
key hash.

Some care needs to be take to make sure that certificate chains
issued by a private CA can be successfully validated by correctly
configured DANE TLS clients.

    1.  Make sure the MX hostname of the end-entity server is one of the
	names in the subjectAltName extension of the server certificate.
	This is optional for DANE-EE(3), but is required for DANE-TA(2).

	Some MX hosts are known by different names when serving
	different domains.  I don't recommend this, but can't stop
	you from doing it.  In that case, all the names should
	appear in the certificate, or (if using server-side SNI)
	each name should appear in the corresponding certificate.

    2.  Make sure that the server certificate is replaced in a
	timely manner before it expires.  This is also optional
	with DANE-EE(3), and required with DANE-TA(2).

    3.  [The motivation for this message].  Use broadly accepted
	cryptographic algorithms and parameters.  For example,
	recent versions of GnuTLS by default no longer accept SHA-1
	signatures in certificate chains.  Some versions of Exim
	that support DANE are linked with GnuTLS, and the Exim
	maintainers are not presently inclined to re-enable SHA-1
	support.  Therefore, sites using private CAs with SHA-1
	signatures may encounter problems receiving some email.
	(Public CA/B forum CAs no longer issue SHA-1 certificates.)

	For best interoperability use the SHA256 digest algorithm
	in certificate signatures.

	For best interoperability, use RSA key sizes of at least 1280 bits,
	and no more than 4096.  The most common choice is 2048-bits.

	For ECDSA, stick with NIST P-256 (OpenSSL names for this
	ECDSA curve are prime256v1 and secp256r1).

Today (after most of the small number of domains using SHA-1 with
private CAs re-issued their certificates) the DANE survey finds
only one MX host of one domain with SHA-1 private-CA signatures:

    semidefinite.de. IN MX 10 mail.semidefinite.de.

so the impact of the GnuTLS policy is low.  With a bit of luck,
this post will help others avoid the same issue, and perhaps
also the postmaster of the above domain will see it on one
of the dane-users, postfix-users or exim-users lists, so the
number of affected domains may soon be zero.


More information about the dane-users mailing list