Re: [Add] [EXTERNAL] Re: New Version Notification for draft-pauly-add-resolver-discovery-01.txt
tirumal reddy <kondtir@gmail.com> Fri, 31 July 2020 06:21 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B65B3A0F18 for <add@ietfa.amsl.com>; Thu, 30 Jul 2020 23:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_eCVY8rj67u for <add@ietfa.amsl.com>; Thu, 30 Jul 2020 23:21:00 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D01703A0F1B for <add@ietf.org>; Thu, 30 Jul 2020 23:20:59 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id k23so30621747iom.10 for <add@ietf.org>; Thu, 30 Jul 2020 23:20:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/S/KLgUp6z3rm6jBV9Qin+gK2Ib+1GmgLPgbtG6YEU0=; b=PWRzzA/KR0j73mUw6UVq1B9yFl0f6dDLAYuWE+kTVpsquS1C7+4Rx+jZCgTtv0Sprs +9vkCgbriOUtxb3EkJfP1Kp4xUntRu+n4BFv69NBmpgurLkyIYyIaX0H4GksNzftyBSx 1EKlViISLfnfbnDxD9NCINq0Dd2nBn39EeJNbLJRXrsIDVegEktAPLC4pJHW3madVgwO MAwXrvAyCDkKTTifQ8MzAoPOr1mPa/ay1A5GeqE4nJ8oEWejKyhFyNGK9Q6cL2EnP8/s nNlPaIQXI4YYta0ziLpD6U/tTcfE531a2sMqrFaf6rcKeafbrVj07erSMeEEdCmy+zJn LRnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/S/KLgUp6z3rm6jBV9Qin+gK2Ib+1GmgLPgbtG6YEU0=; b=Ppi/x2d3T8PjqFrbJnLso1h0wXF78H4mQ0LSuc2Kg2lJSrYqpMxk8I8RKJQtA3vAI+ 8GbBGwfgQrGHueaa76aTVyv118e3gFbcvpzsd8EciMTVPQZCpByPqupSpJXxCaCJhmF/ NSNvItaHmZGv+dTNBkpB597LZQzRoX/GVRxAdRnBQtr3HA3gbfd3mxg1zTydBCjqhllh Pcma1hhqfzk9KQM/BoH3FDHjKMTBEajGSfzeLvTFv2fxC3vwrgwIJTaI25IjiTK39gPt a2XWikaiUD2x0Jpws6eI8/GdpHk7kKc1LbgAT++ary3+2FZDWs9yHDOWFzQV30Slga4K gM+g==
X-Gm-Message-State: AOAM530ETdgkzCBJYTZ0lUW9mkEppbn7R8uaRi4FI7V3LoKL2KLSju9k kBX35WWD+g7HTvnUAAdto9whZ0cYeECoyQr5maQ=
X-Google-Smtp-Source: ABdhPJxwzW1UqnzuYTMQ4kbhqMYKwLc8L+0YptiN/TAlP0x3TeOuYIabI5Sw5JuudCuaFbFw7fgDhZsNtBu0NMfwPsU=
X-Received: by 2002:a6b:f014:: with SMTP id w20mr2195378ioc.21.1596176458204; Thu, 30 Jul 2020 23:20:58 -0700 (PDT)
MIME-Version: 1.0
References: <3954080.qUnaP1aulD@linux-9daj> <8E7D3BAE-13C2-4DC8-9D23-3138DC2F4DE4@fugue.com> <1054325087.2835.1595936001612@appsuite-gw2.open-xchange.com> <Mailbird-f5c0c75a-a605-4089-b5e4-7db89115f37c@scramworks.net> <CAOb=54Sa5z7ARD3gMxwYWtUmn_kPYARyERvzPdL3DvDUVwzxZA@mail.gmail.com> <CWXP265MB0566B8EE78D37F2A7C4BA655C2700@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <DM6PR00MB0781A104B33E7B69920D4667FA700@DM6PR00MB0781.namprd00.prod.outlook.com> <CACJ6M15WSivqf33-UNAORJV9SRWVbYi66CA-rX4=y3A0meOB2g@mail.gmail.com> <CAChr6Sz6uWWniuKpwW2cUV0oCW7HKxCK1cnQxTpr44ksBCiCtA@mail.gmail.com> <6CDFB1BB-9AEB-411B-B338-CCBC1BA54C03@fugue.com> <CAChr6SwvAaLjDUjJfBt-H9=97mLJcM1264p63ZHVoPUfnef1OA@mail.gmail.com> <EB22CB7C-B69C-44E7-AC42-448C32514E23@fugue.com> <CAFpG3gd6yBQqMWV50tMY-Q5y+zHEJ=+b+VCzc4ae2FKArNBogA@mail.gmail.com> <CAChr6Sx6=teqbtHW4+swjc14zjwSJti0b7m7u3LvwN0K0JOU=w@mail.gmail.com> <CAFpG3gfgTjiM0bmru-hKEMLZDw+VVd=KYP+KohwwpwghsUih1g@mail.gmail.com> <CAChr6Sy4+NkzDHBb0AE+gqjFcPA_Yj9hM8i+GzyjsojvoWfwhA@mail.gmail.com> <CAFpG3gf8P61ViKzKqpusthTZf4z+RzQVJUOtOwA5_zJkxWm8Kw@mail.gmail.com> <CACJ6M1529TnShk81S-Wdeqhoo6Mc5medktSB5DYWVhuWAqt0tQ@mail.gmail.com> <CAFpG3gftnqAFtBpqZuNddEKJdB1EDCEPANLKqDex9yZ2ZM0EcQ@mail.gmail.com> <20200730132857.6MGkL%steffen@sdaoden.eu>
In-Reply-To: <20200730132857.6MGkL%steffen@sdaoden.eu>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 31 Jul 2020 06:20:46 +0000
Message-ID: <CAFpG3gehFJ8muZOFp7RrWA_9tNv43+9zWjA_P8On3c_M_o5SMg@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>, "Chris Box (BT)" <chris.box.ietf@gmail.com>, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, Andrew Campling <andrew.campling@419.consulting>, ADD Mailing list <add@ietf.org>, Ted Lemon <mellon@fugue.com>, Rob Sayre <sayrer@gmail.com>, Steffen Nurpmeso <steffen@sdaoden.eu>
Content-Type: multipart/alternative; boundary="000000000000ca4c8c05abb6ca9e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/CaxymJ2vCAdGg1eP8V2EEml54rE>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-pauly-add-resolver-discovery-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 06:21:03 -0000
On Thu, 30 Jul 2020 at 13:28, Steffen Nurpmeso <steffen@sdaoden.eu> wrote: > tirumal reddy wrote in > <CAFpG3gftnqAFtBpqZuNddEKJdB1EDCEPANLKqDex9yZ2ZM0EcQ@mail.gmail.com>: > |Hi Chris, > | > |Good points, please see inline > | > |On Thu, 30 Jul 2020 at 06:00, Chris Box (BT) <chris.box.ietf@gmail.com> > |wrote: > | > |> Rob you appear to be saying you don’t need such features to secure a > home > |> network, but I would certainly appreciate having Tiru’s (a) to (e) \ > |> deployed > |> in my house. I don’t want the smart TV equipped with microphone and \ > |> webcam > |> to be remotely compromised, nor any other device. Without such > |> network-level control, enabled by standards, my only defence is to > |> physically unplug the TV from the network when not in use. > |> > | > |> Following Eva’s talk in HRPC, I’ll put myself in the shoes of a > dissident > |> in a hostile regime. In such a case I would feel even greater need \ > |> for such > |> security. Of course I would choose my security supplier carefully, \ > |> and not > |> one aligned to the regime. I then need one or two devices that route > |> through Tor. > |> > |> I fully agree the challenge is to distinguish legitimate network > signals > |> from those of an attacker. Robustly identifying who they came from is > |> non-trivial, but hopefully not impossible? > |> > | > |Yes, identifying the trustworthiness of the peer is discussed in RATS WG > |(see https://datatracker.ietf.org/wg/rats/about/). Remote attestation > |procedures (RATS) enable relying parties to establish a level of > confidence > |in the trustworthiness of remote system components through the creation > of > |attestation evidence by remote system components and a processing > |chain towards the relying party. A relying party can then decide whether > |to consider a remote system component trustworthy or not. > | > |The claims used as evidence and attestation for DNS server is discussed > in > |https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-04. > > I personally do not get what yet another line of authorities > transported via JSON encoded structures fetched via another DNS > record that just exposes that JSON structure gives the world anew. > RATS allows the attestation to be represented in JSON or CBOR (see https://tools.ietf.org/html/draft-ietf-rats-eat-03#section-1.1). The PAT object is retrieved using RESINFO RRtype ( https://tools.ietf.org/html/draft-pp-add-resinfo-01) and it uses JSON to return the resolver information. > > Indirection may make everything possible, but, i mean, to me the > key point of RFC 8572 for example is the > > 3.3 Ownership Voucher > [this] artifact is used to securely identify a device's owner, > as it is known to the manufacturer. The ownership voucher is > signed by the device's manufacturer. > > _If_ i can find my way home i can securely update myself, where > securely means manufacturer here. Great that standard CMS is > used. > https://tools.ietf.org/html/rfc8572 is specific to zero-touch provisioning of networking devices and IoT devices in Enterprise networks. The owner certificate can be used to validate the PAT signature (see the last paragraph https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-04#section-10 ). > > Even if DNSSEC [RFC6698] is used to authenticate the various DNS > resource records [.] the device cannot be sure that the domain > returned to it, e.g., from a DHCP server, belongs to its > rightful owner. > > It then refers back to RFC 6763, DNS-based service discovery. > Which has really nice, easy to parse content, and does not use > JSON only to represent key/value pairs. (Why not a fixed CBOR > thing instead, they are talking maps at the moment, for example. > And can easily be converted back and forth to JSON while still > being parsed directly, as it is binary.) What is so wrong with > this service discovery thing, i think it could very well serve > additional things. But especially so if another registry is > introduced for the concept. RFC 8572 also says > > Using a DHCP server may be a compelling option for deployments > having existing DHCP infrastructure, as it enables a touchless > bootstrapping option that does not entail utilizing an > Internet-based resource hosted by a third party. > > A DHCP server is an untrusted source of bootstrapping data. > Thus, the information stored on the DHCP server either MUST be > signed or MUST be information that can be processed > provisionally (e.g., unsigned redirect information). > > I do not know (people can agree here), but if that could improve. > Also being x-rayed yesterday (untreated bike accident last > November) my pictures are now at healthdataspace.org even without > me agreeing with that, they have a German data security seal of > approval, but then it is just a QR-code and/or an access code > (alphanumeric and length of 10 or 12, iirc). > > It is not an option for a light bulb, but that thing surely > belongs behind a household router, and easy usable routers with > why not ample-style use cases would be great, imho. With a short > fingerprint printed on a device that shows up on that router, just > like for Bluetooth pairing. I could imagine people could get used > to that. (Especially with some kind of those terrible apps on > their smart phones which are linked to the "router" of the > household, then, so they get informed of that event. I think DHCP > even allows ident strings to be emitted from DHCP client to > server.) > There are several mechanisms to securely bootstrap IoT devices, you may want to look into the recently adopted draft https://tools.ietf.org/html/draft-sarikaya-t2trg-sbootstrapping-08 by T2TRG and within the scope of IETF is BRSKI and SZTP. Cheers, -Tiru > > Sorry, i do not seem to understand. > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) >
- [Add] Fwd: New Version Notification for draft-pau… Tommy Pauly
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Stephane Bortzmeyer
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] New Version Notification for draft-paul… Tommy Pauly
- Re: [Add] New Version Notification for draft-paul… Stephane Bortzmeyer
- Re: [Add] New Version Notification for draft-paul… Tim Wicinski
- Re: [Add] New Version Notification for draft-paul… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] New Version Notification for draft-paul… Vittorio Bertola
- Re: [Add] New Version Notification for draft-paul… Tony Finch
- Re: [Add] New Version Notification for draft-paul… Tommy Pauly
- Re: [Add] New Version Notification for draft-paul… Tommy Pauly
- Re: [Add] New Version Notification for draft-paul… Tim Wicinski
- Re: [Add] New Version Notification for draft-paul… Vittorio Bertola
- Re: [Add] New Version Notification for draft-paul… Tony Finch
- Re: [Add] New Version Notification for draft-paul… Tommy Pauly
- Re: [Add] New Version Notification for draft-paul… Stephane Bortzmeyer
- Re: [Add] New Version Notification for draft-paul… Stephane Bortzmeyer
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] New Version Notification for draft-paul… Ben Schwartz
- Re: [Add] New Version Notification for draft-paul… Paul Vixie
- Re: [Add] New Version Notification for draft-paul… Stephen Farrell
- Re: [Add] New Version Notification for draft-paul… Paul Vixie
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] New Version Notification for draft-paul… Paul Vixie
- Re: [Add] New Version Notification for draft-paul… Stephen Farrell
- Re: [Add] New Version Notification for draft-paul… Rob Sayre
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] New Version Notification for draft-paul… Paul Vixie
- Re: [Add] New Version Notification for draft-paul… STARK, BARBARA H
- Re: [Add] New Version Notification for draft-paul… STARK, BARBARA H
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] New Version Notification for draft-paul… Rob Sayre
- Re: [Add] New Version Notification for draft-paul… Paul Vixie
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] New Version Notification for draft-paul… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ted Lemon
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] New Version Notification for draft-paul… Stephane Bortzmeyer
- Re: [Add] New Version Notification for draft-paul… Stephane Bortzmeyer
- Re: [Add] New Version Notification for draft-paul… Vittorio Bertola
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] New Version Notification for draft-paul… Vittorio Bertola
- Re: [Add] New Version Notification for draft-paul… tirumal reddy
- Re: [Add] New Version Notification for draft-paul… tirumal reddy
- Re: [Add] New Version Notification for draft-paul… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephane Bortzmeyer
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Robert Mortimer
- Re: [Add] New Version Notification for draft-paul… Kenji Baheux
- Re: [Add] New Version Notification for draft-paul… Paul Vixie
- Re: [Add] New Version Notification for draft-paul… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Mohit Sethi M
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] New Version Notification for draft-paul… tirumal reddy
- Re: [Add] New Version Notification for draft-paul… Vittorio Bertola
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] New Version Notification for draft-paul… Ted Lemon
- Re: [Add] New Version Notification for draft-paul… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] New Version Notification for draft-paul… Stephane Bortzmeyer
- Re: [Add] [EXTERNAL] Re: New Version Notification… Simon Hicks
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Chris Box (BT)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Chris Box (BT)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Chris Box (BT)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Rob Sayre
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ted Lemon
- Re: [Add] [EXTERNAL] Re: New Version Notification… Rob Sayre
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ted Lemon
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Rob Sayre
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Rob Sayre
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Rob Sayre
- Re: [Add] [EXTERNAL] Re: New Version Notification… Chris Box (BT)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Rob Sayre
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Rob Sayre
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Joe Abley
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Chris Box (BT)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ted Lemon
- Re: [Add] [EXTERNAL] Re: New Version Notification… Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: New Version Notification… Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Pauly
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ted Lemon
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Mohit Sethi M
- Re: [Add] [EXTERNAL] Re: New Version Notification… Mohit Sethi M
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tony Rutkowski
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tony Rutkowski