IETF Logo Mail Archive

Re: [Dance] CRLs/OCSP and DANE at RIPE84

Shumon Huque <shuque@gmail.com> Tue, 24 May 2022 20:40 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09829C2740BF for <dance@ietfa.amsl.com>; Tue, 24 May 2022 13:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fw6hsYDtflbs for <dance@ietfa.amsl.com>; Tue, 24 May 2022 13:40:09 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E333C2740BE for <dance@ietf.org>; Tue, 24 May 2022 13:40:09 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id s23so19491080iog.13 for <dance@ietf.org>; Tue, 24 May 2022 13:40:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xolrtnH/+WqOkh5gTUtGtp3C3H+8WsxGSIUAUGYWpFU=; b=n4ZDb9A9LywjUQMuHzQuF2lZjJ2QSc4A47F7UHNTJTgFn7OML4dyy3U31xiVr1kcVa ooWAfjxJcaXlHgacnlkft10mkD9/PkcOmtX0q6MaLW+nRIyiEuVYww+vBZnQ2SZvap5y suyVzxz0oSutScHItQ5cr5SHI4pW63J0aOFrqij2KDeulFcWLYxwgJfT5lBp2k7Hovg7 1XoIMm2IoBpkiXGtc3GrwabmoWW+nRo6MSLTKQeZTl+jO9qlEqyq6QQEzrrCEUPG2RtF NwLDW7xebgwSOcCig3i0+/gaIXyAT7UsI5h58xBp1RkDWXVFSvC2rvTx65D37qmTseor yDiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xolrtnH/+WqOkh5gTUtGtp3C3H+8WsxGSIUAUGYWpFU=; b=NgGKdPKxdPSKm7ObiZkf3MCvyq2L1fwjDBrlP55UVwQRnnID9KCfeyzx0p50qOtObC a/bxhZMRnN47pEwtM5bvpsLB3l6EQ5kunjt9bAw0RvuZ5Dv+heuib2Joj8u8fDIgrb9b hXQGF0l7onJ3mTNfC7fvjdbJmQe6Y60vP9c3w2nCUZeTrfpt9TsAYMH9oTIhLqKa6DDq I+tWGmhHo6KKvIXuYaaryy0fhwV2FkRiFnN8s6FrvhIJLJoQgFGcuQrAwJDutgf5QS6V r0cGtboaeNXxYVleEfpzXSjMk+jp5zMwlQ1UVA186x61YRXBC/ISJe4iNsQQ+JYX6AC1 hObA==
X-Gm-Message-State: AOAM53347+VqA7tWg9YJVPDbtmCjUuuJc6TLffkoofUYW7/mmBrpVZqg LsNxzd2RNObn/iF5h7UeydXU6p/l0kAE3KShV0U=
X-Google-Smtp-Source: ABdhPJwIhy7Yd3d0qwmryKgzTxTtU+iaX6NeII2EvNZ/z0M5O0yDS1jPV2ukWGDaR84EnPk/o5dSgJ2cIZ5py6LRy+4=
X-Received: by 2002:a5d:9d8b:0:b0:663:9916:da83 with SMTP id ay11-20020a5d9d8b000000b006639916da83mr5473713iob.116.1653424808114; Tue, 24 May 2022 13:40:08 -0700 (PDT)
MIME-Version: 1.0
References: <887547.1653131902@dooku> <CAHPuVdXED50HMmBzkPCRa6pTqUnD8FA_upyWSMZy9OBt=q1GfA@mail.gmail.com> <19724.1653397933@localhost>
In-Reply-To: <19724.1653397933@localhost>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 24 May 2022 16:39:57 -0400
Message-ID: <CAHPuVdWNe-SFZmRDB5nORs+3fFWgGLVyZKxFSOGx95j4wBpjUA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: dance <dance@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000059c04805dfc7f625"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/n39qU2fDq5bUpNkLxKac3Bcog4I>
Subject: Re: [Dance] CRLs/OCSP and DANE at RIPE84
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 20:40:13 -0000

On Tue, May 24, 2022 at 9:12 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Shumon Huque <shuque@gmail.com> wrote:
>     >> https://ripe84.ripe.net/archives/video/864/
>     >> Geoff Houston looks at Revocation, and who it is just not working,
> and
>     >> suggests DNSSEC+DANE.
>     >> Very much Worth watching.
>     >>
>
>     > I'm kind of sympathetic to Geoff's views.
>
>     > But the prospects of DANE generally replacing (or constraining) PKIX
> and
>     > delivering a DNS
>     > based revocation capability seem pretty slim to me, especially in
> the web
>     > arena, which seemed
>
> I don't think that Geoff imagines any kind of revocation capability via
> DNS.
>

Michael, if you use DANE, you get DNS based revocation automatically.
The mechanism is simply to remove or update the TLSA etc record, and the
previously referenced certificate or key in the record will be invalidated
at the
time scale of the TTL.

Shumon.

v2.23.0 | Report a Bug | By Email