If a user sets server host name and port manually, and the address (A/AAAA) record chosen to connect to it passes DNSSEC validation, is it okay to perform DANE TLSA verification against that manually provided host name?
debaclehas left
flow
defanor, you don't perform TLSA verification against the provided host name, you perform it against the provided xmpp service name
flow
e.g. user configures his jid to be "user@example.org" and host name to be "enterprise.example.org", then you would perform TLSA verification against "example.org"
goffihas left
sonnyhas left
defanor
But with SRV records it would be "enterprise.example.org", according to <https://tools.ietf.org/html/draft-ietf-dane-srv-14#section-3.3>, so it seemed to me that with a manually provided host name it would be similar, since it more or less replaces SRV.
flow
this only talks about the TLSA DNS query (/lookup)
flow
i.e., it says that you want to lookup the TLSA record on the SRV target
defanor
Indeed. I thought I've read in one of the related RFCs that it allows to use certificates for different domains on different servers, but probably misunderstood something; re-reading the RFCs. And GnuTLS's dane_verify_session_crt seems to only assume a single domain name, not one for the certificate and one for TLSA. Still, what are the required conditions to use DANE with a manually provided host?
flow
defanor, dunno, but I could imagine that you do the TLSA lookup on the user provided DNS name
marchas left
edhelashas left
edhelashas joined
defanor
https://tools.ietf.org/html/rfc7673#section-6 -- if I'm reading it right, with DANE-EE there's no constraints on certificate's identifier, and with DANE-EE it could be either service/source or target server/derived domain. Or am I misinterpreting it?
https://tools.ietf.org/html/rfc7712#section-5.1 even ✏
flow
defanor, yes, that appears right. but the problem is the "and/or" part in RFC7673 § 6. as most APIs only take one identifier as input (sure you could invoke the verify() method multiple times)
flow
personally, if in doubt, I would always use the XMPP service name and not the DNS name of the discovered/expliclity configured host for verification
Zash
Yeah, you start with the identifier you got from the user. Only use something if it can be securely derived from that.
debaclehas joined
alex-a-sotohas left
alex-a-sotohas joined
machas left
machas joined
machas left
machas joined
raghavgururajanhas left
machas left
adityaborikarhas left
adityaborikarhas joined
machas joined
machas left
flow
Zash, but in this case I get two identifiers from the user: the user's JID domainpart and the DNS name of the server hosting the XMPP service