Re: [Dance] CRLs/OCSP and DANE at RIPE84
Geoff Huston <gih902@gmail.com> Tue, 24 May 2022 20:40 UTC
Return-Path: <gih902@gmail.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 106ACC2740BE for <dance@ietfa.amsl.com>; Tue, 24 May 2022 13:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.845
X-Spam-Level:
X-Spam-Status: No, score=-6.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6_zXDXGiRTc for <dance@ietfa.amsl.com>; Tue, 24 May 2022 13:40:02 -0700 (PDT)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51698C2740BD for <dance@ietf.org>; Tue, 24 May 2022 13:40:02 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id w3so10209709plp.13 for <dance@ietf.org>; Tue, 24 May 2022 13:40:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=v82Fx2DF9ncSudk3HuYCieOD+L45r/UuiTWkdXqs4QA=; b=C2WYJPO9QITsKml/NHA6tuqXzEzHGpFDp5CHuhoAciv+DPVALnvt4NhlwMZpOa+rUs /XcFdBjkhBz+kehn5Y2GhUp3xz0B8wDNUj25uUcqEJzCvyHrDOggwq4xkT+Iq/xKR110 AEYEdwKwlqnJM7vdedsMF+9sTNhe4Zjf6NtdOnkR20QehGibrDngShhsdu339ffd83gX iKrjVwP7Q3T2ibu3e6acMaN7swlFBLZq24oC29U3/Z9fZvb8oKMAgwhiBHJwUHiI59iL 3V720V5F0n8+7WBPHtV1au8oAmkewNkGpr+hqxZd1eoBrLkXHGFKQK0lvjdVn6c6ZgEG OGhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=v82Fx2DF9ncSudk3HuYCieOD+L45r/UuiTWkdXqs4QA=; b=BjzO4VvK+x0N3C3YyT9TeMJEJ658FcXwFd90NzpAzKVBuISEADeNbZdJBZGG1bTcv7 NytQFKLYDcqB4uuv7+dV4Ln8cVjn1/YUqnv6FUMHJt5lYDSCdOCUk1N9OPeLxM0Kn3Mo 1DsrCYImCsahQlXScAyjS+Q3SSmh6iIIAPqpAMtysxnuk+HjO9TcKrQsvYW4NQB4m2MD TzKLv61l2R09MB1KZqXjjEKIGqB8i60zjkWhbb7OhLLk2aEi/FrvTOpjSNJRhMUPeTDX u9mOPmRpU/c7MDu/MGI2NpVjm3gyevQ8lixCa5UYsZnbC7dcsFCqY9moIRY6M8yBquQ2 bU4Q==
X-Gm-Message-State: AOAM532XFnG4B8naHCmjG/4EtZj+pSXCYCQbCWnQ5kI0ILumhHgY3puJ uQ0xkHo1L20iGuENQ4k2Jlw=
X-Google-Smtp-Source: ABdhPJw0WxwKu2889reVFjFyqAX+QlCKnkb35Gf+8fSMrVUVBaC9KVXgyaDM5a1+s4bJD+GiTO5M5w==
X-Received: by 2002:a17:902:ed82:b0:158:fef8:b501 with SMTP id e2-20020a170902ed8200b00158fef8b501mr28429142plj.47.1653424801363; Tue, 24 May 2022 13:40:01 -0700 (PDT)
Received: from smtpclient.apple ([2001:8003:1dec:da00:f8da:5b32:92d7:ce07]) by smtp.gmail.com with ESMTPSA id a15-20020a170902eccf00b0016170bb6528sm7769014plh.113.2022.05.24.13.39.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 May 2022 13:40:00 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Geoff Huston <gih902@gmail.com>
In-Reply-To: <19724.1653397933@localhost>
Date: Wed, 25 May 2022 06:39:56 +1000
Cc: Shumon Huque <shuque@gmail.com>, dance <dance@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <566A12DB-803A-4C4A-B711-4E349B099331@gmail.com>
References: <887547.1653131902@dooku> <CAHPuVdXED50HMmBzkPCRa6pTqUnD8FA_upyWSMZy9OBt=q1GfA@mail.gmail.com> <19724.1653397933@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/3B82Qobckkjiqax-OZNtoKlkO7M>
Subject: Re: [Dance] CRLs/OCSP and DANE at RIPE84
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 20:40:06 -0000
> On 24 May 2022, at 11:12 pm, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > Shumon Huque <shuque@gmail.com> wrote: >>> https://ripe84.ripe.net/archives/video/864/ >>> Geoff Houston looks at Revocation, and who it is just not working, and >>> suggests DNSSEC+DANE. >>> Very much Worth watching. >>> > >> I'm kind of sympathetic to Geoff's views. > >> But the prospects of DANE generally replacing (or constraining) PKIX and >> delivering a DNS >> based revocation capability seem pretty slim to me, especially in the web >> arena, which seemed > > I don't think that Geoff imagines any kind of revocation capability via DNS. When the TTL expires in the DNS you requery from an authoritative name server and “refresh” your data. We don't have revocation in the DNS as we don't need revocation in the DNS. > >> to be the focus of Geoff's presentation. Note the failed attempt to >> standardize the TLS DNSSEC >> chain extension in the TLS working group (now published as an experimental >> RFC via the ISE). > > I didn't follow that work, but that's basically part of the problem. Agreed - the PKIX-related conversations tend to be isolated. I agree with Michael’s observation that maybe that’s part of the problem here. Geoff
- [Dance] CRLs/OCSP and DANE at RIPE84 Michael Richardson
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Shumon Huque
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Michael Richardson
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Geoff Huston
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Geoff Huston
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Shumon Huque
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Jim Fenton
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Shumon Huque
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Michael Richardson
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Wes Hardaker
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Jim Fenton
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Geoff Huston
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Olle E. Johansson
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Michael Richardson
- Re: [Dance] CRLs/OCSP and DANE at RIPE84 Michael Richardson