IETF Logo Mail Archive

Re: [Dance] CRLs/OCSP and DANE at RIPE84

Shumon Huque <shuque@gmail.com> Tue, 24 May 2022 21:52 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C486CC2B69FF for <dance@ietfa.amsl.com>; Tue, 24 May 2022 14:52:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZUI0BoAljO_I for <dance@ietfa.amsl.com>; Tue, 24 May 2022 14:52:23 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88FD9C2AFFE7 for <dance@ietf.org>; Tue, 24 May 2022 14:52:23 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id i74so12985140ioa.4 for <dance@ietf.org>; Tue, 24 May 2022 14:52:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Anra4yo0oNPn9Aq7DxjVD/elBliC7yv3inlI5Z/vThY=; b=KZCwGc4XQXIRc/xskeaE1LA/asjYIf9B6701AQ7fvijWxIBVJM0vUFEOFd/mFWf40I f9tKGMH7TjEX0+/qKA12nw7q/3oZGwgcbsNwhKB4jP/Rh1cnoKaWEyzAurUyLl8KyojR kh1txz58TdJZRf2QUYjBlpaO9TCTm0qn0LoH1aSJL2KSIMgaEEOQ4r8Ka+BaizTBJxCF QoPLEPtKE6OPFtmCJEVLbK4f+whc1N9pA7XIdhSH33jhj9wUyMqG1mwpw+5HCKDbKUcI faMJ4F/JnPmabfMv1YNFfT2FqxuMk2Gdge0Gaw+CSsFutJEkkNXT05UT3czG+IFErKji lrSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Anra4yo0oNPn9Aq7DxjVD/elBliC7yv3inlI5Z/vThY=; b=iwskOwHoQzS9uoKCOf6MrvwsN3HmpTLNJAVJXwVa+Zq1RYO8sB7C445U2M3ePkZqz+ Z7MHlwZO82OtU/g90vj7s++MC+wmlFzB0gp8zC/f/vg7zmVzT33OPkK0K0RHvH8CuRhr BthxH3+VZqrQIIx0NSKhshTK1oAA/FpU4QxpcqRJCtSWalYpu/jJ1RxFnp1RV6pjqJXK 57oJWeQJzsovGgLrybeYhKqGMY1XVev2p0DXpHhUwV/bCYFoJ31A4BkRh52b7yrxqD4j 3ibJ7KAdkmWt04CbN7mnFYLeRROMVvzmTSYOSVGylRhqE4In7hB2Dd2qqS+VdImaeW7p iFjA==
X-Gm-Message-State: AOAM530n70T0BJMhvG3qBw5hcV/H7phwh05t2NiwFVEw/SlRicqMJQts SUHiOYO3ubr9bHa4fPA/O7+694fL2ysUiRU8YKw=
X-Google-Smtp-Source: ABdhPJzSV0CB/BiRuSGqhGfncDnFvXWDyNUhdwDoZDnZiqPofORWhJrrVMXAUZwkmKWtUDrFouC7a2FnDu5gvwdQkXw=
X-Received: by 2002:a05:6638:1446:b0:32e:a9c4:10c3 with SMTP id l6-20020a056638144600b0032ea9c410c3mr9494318jad.280.1653429142412; Tue, 24 May 2022 14:52:22 -0700 (PDT)
MIME-Version: 1.0
References: <887547.1653131902@dooku> <CAHPuVdXED50HMmBzkPCRa6pTqUnD8FA_upyWSMZy9OBt=q1GfA@mail.gmail.com> <19724.1653397933@localhost> <CAHPuVdWNe-SFZmRDB5nORs+3fFWgGLVyZKxFSOGx95j4wBpjUA@mail.gmail.com> <924BEB7A-1155-4C79-9F62-BA84BB09BEB6@bluepopcorn.net>
In-Reply-To: <924BEB7A-1155-4C79-9F62-BA84BB09BEB6@bluepopcorn.net>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 24 May 2022 17:52:11 -0400
Message-ID: <CAHPuVdWsEwVU+Hd0s2u3uAgGXQU1=fsgUy5v6ggwUfS3mX_ssg@mail.gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, dance <dance@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b1e12805dfc8f851"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/ZLDuSMtV-FQra8aVGYfFbmtmsFs>
Subject: Re: [Dance] CRLs/OCSP and DANE at RIPE84
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 21:52:25 -0000

On Tue, May 24, 2022 at 5:47 PM Jim Fenton <fenton@bluepopcorn.net> wrote:

> On 24 May 2022, at 13:39, Shumon Huque wrote:
>
> > Michael, if you use DANE, you get DNS based revocation automatically.
> > The mechanism is simply to remove or update the TLSA etc record, and the
> > previously referenced certificate or key in the record will be
> invalidated
> > at the
> > time scale of the TTL.
>
> I wouldn’t call that revocation. I would describe that as (typically) a
> short validity period. One advantage is that it isn’t necessary to actively
> renew something at the end of that validity period. But having something
> that goes away, within say 3 hours after being withdrawn (ietf.org TTL),
> is a huge improvement.
>

I meant to put revocation in quotes! :)

A specific action taken (removal or updating of a DNS record) resulted in
invalidation of the previous referenced cert/public key data in the record.
That sounds similar to revocation to me (or whatever we want to call it).

Shumon.

v2.23.0 | Report a Bug | By Email