Re: [apps-discuss] Add-on for HTTPS websites
Dave Cridland <dave@cridland.net> Mon, 18 November 2013 09:48 UTC
Return-Path: <dave@cridland.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EDED11E8132 for <apps-discuss@ietfa.amsl.com>; Mon, 18 Nov 2013 01:48:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsyGoN500rq6 for <apps-discuss@ietfa.amsl.com>; Mon, 18 Nov 2013 01:48:19 -0800 (PST)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 2A9D411E8106 for <apps-discuss@ietf.org>; Mon, 18 Nov 2013 01:48:19 -0800 (PST)
Received: by mail-ob0-f174.google.com with SMTP id wn1so324403obc.19 for <apps-discuss@ietf.org>; Mon, 18 Nov 2013 01:48:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+1d9+CkHXzJFoufXOazbEdQKCCAy9lJ3Y71RrI6N4O0=; b=iheJSWbD/LC/YdJzKNx/tQKsYtv7BixweYtiJrcm/nEQbLOFnVL9goRnTQTYJcnd2P jslRDkMYG/PGAgEU9ZRXPbiq2PJwHfoX+JmWo9AW51nB2qq1I+xfMVW1xW539n6SMBj9 IrRqoWVtWpOYPemKlg9w8A9m2vnugE+GeQg18=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+1d9+CkHXzJFoufXOazbEdQKCCAy9lJ3Y71RrI6N4O0=; b=l/8PyZ5Zm9RdH0lVMPVATDjZPQ/rbmR9Em3PZdhyS/GDETi5e83Zoy4Q1CnBoryw1T 9Jc1wB0hgcfUAF7ID6/N5B7ZlK2pSXm9qpwlS2ZaXHgvP3IVYe1z+w939mX+lvSYe0oG TTOt+ACiINmeD7oDwzLwCSW+2R8tXSlM5cGYuM30J2IuuOzjtrdPBjXeHdDVfydRTf/7 ve+7iem93Ldta/XBEcOCim7EZ2VjPriUm+WcxDh3BI/hogPuEarMu9FRNvEoLgCG9i34 Lmnf92OpUPTx13uCqznTBlLEsYyK/60qhL9dcILIbEDT/3vIOq65tXnVNTgdVRf5v7fT 52HA==
X-Gm-Message-State: ALoCoQkYXK9n8GjcPMCB3C0kQ0ePWSBGkUo9Pi6Y+gu3uHsG/iBzi20/gOZWAdEkh5NWKv4RKLOX
MIME-Version: 1.0
X-Received: by 10.182.221.230 with SMTP id qh6mr19571154obc.7.1384768098575; Mon, 18 Nov 2013 01:48:18 -0800 (PST)
Received: by 10.60.121.97 with HTTP; Mon, 18 Nov 2013 01:48:18 -0800 (PST)
In-Reply-To: <482b790b64b4eab31aa26a1b10493605.1384765746@squirrel.mail>
References: <52891184.6080707@mathemainzel.info> <37f8fec05d4d1acc999ab77a925c88e0.1384754521@squirrel.mail> <CAKHUCzzjcXLOfo9c3fMYqyt6pO00NS+L89Hr0CA75922DTFEjA@mail.gmail.com> <482b790b64b4eab31aa26a1b10493605.1384765746@squirrel.mail>
Date: Mon, 18 Nov 2013 09:48:18 +0000
Message-ID: <CAKHUCzwS6iSTtScyGwEOMWStz-iyjQu-dBrkx5UVfHo1YbJ2NA@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: "Walter H." <walter.h@mathemainzel.info>
Content-Type: multipart/alternative; boundary="001a11c2fcb89ccbbc04eb7072d2"
Cc: IETF Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Add-on for HTTPS websites
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 09:48:20 -0000
On Mon, Nov 18, 2013 at 9:09 AM, Walter H. <walter.h@mathemainzel.info>wrote: > On Mon, November 18, 2013 09:42, Dave Cridland wrote: > > On Mon, Nov 18, 2013 at 6:02 AM, Walter H. > > <walter.h@mathemainzel.info>wrote: > > > >> > >> Bug corrected, the example certificates were wrong. > >> > >> Filename: draft-hoehlhubmer-https-addon > >> Revision: 04 > >> > >> > > I've skimmed this quickly, and what I think you've done here is reinvent > > DANE, which is specified in RFC 6698. > > I didn't notice this RFC; > > > I don't *think* you're adding anything new, here, > > seen, the additional HTTP webpage in 2.2? > > Ah. I hadn't, but the problem with this is it's only a marginal increase in security, and given there's no formatting, it wouldn't even be possible to test automatically. So basically, you'd want this to be a .well-known thing in JSON or XML - but if this were typically deployed, then any attacker who'd already subverted everything else could easily subvert that too at little extra cost. I don't think that it'd be worthwhile, to be honest. > > but I do think it's > > always interesting when someone independently arrives at roughly the same > > concept. I'd encourage you to read through RFC 6698, and see if there's > > any > > differences between your approaches that should be addressed. > > there is a difference: my variant uses TXT records and these are available > on every DNS software; > > Yes, I did wonder if there would be faster uptake of DANE if it were purely in TXT records, however I suspect that the marginal difficult of adding TLSA support in this specific case would be pretty low compared to adding DNSSEC anyway. Besides, DANE does TLSA; I don't think there's any evidence that TLSA support is holding anything back right now. > > I'd suggest you probably don't want to invest too much more time in your > > own approach, though. > I should expand on this, really. What you have done is independently come up with largely the same concept as DANE. This is pretty awesome, and it puts you with a unique insight into DANE. I don't want to imply that your effort so far is a complete waste of your time. Your fundamental idea - that certificate information can be put in DNS to increase security - is a good one, so good that it's been done already. However, there's no point in trying to persuade all those involved in DANE that they should scrap their approach and go with yours - even if there was some merit in that, you'd need a really compelling reason to do that, and I don't think you have one. What you should instead do is figure out how to get your higher-level ideas to work within DANE's framework, and see whether they make sense. One interesting point your draft makes is that you have DNSSEC as a "SHOULD", rather than a "MUST" - I need to think considerably more about whether running DANE without DNSSEC make sense in some cases - my gut feeling is that it might be interesting in Certificate Usage 0 and 1 cases (See RFC 6698 ยง 2.1.1) - that is, where the TLSA records indicate constraints on PKIX. Dave.
- [apps-discuss] Add-on for HTTPS websites Walter H.
- Re: [apps-discuss] Add-on for HTTPS websites Walter H.
- Re: [apps-discuss] Add-on for HTTPS websites Walter H.
- Re: [apps-discuss] Add-on for HTTPS websites Dave Cridland
- Re: [apps-discuss] Add-on for HTTPS websites Walter H.
- Re: [apps-discuss] Add-on for HTTPS websites Dave Cridland
- Re: [apps-discuss] Add-on for HTTPS websites Walter H.