Re: [dane] provisioning assumptions, was PGP security models, was Summary
"John Levine" <johnl@taugh.com> Tue, 22 September 2015 20:11 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20FC61B2D42 for <dane@ietfa.amsl.com>; Tue, 22 Sep 2015 13:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.663
X-Spam-Level: *
X-Spam-Status: No, score=1.663 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3uPcjTobv3p for <dane@ietfa.amsl.com>; Tue, 22 Sep 2015 13:11:48 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5E411B2D40 for <dane@ietf.org>; Tue, 22 Sep 2015 13:11:47 -0700 (PDT)
Received: (qmail 8587 invoked from network); 22 Sep 2015 20:11:46 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 22 Sep 2015 20:11:46 -0000
Date: Tue, 22 Sep 2015 20:11:24 -0000
Message-ID: <20150922201124.4334.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dane@ietf.org
In-Reply-To: <alpine.LFD.2.20.1509221108280.4663@bofh.nohats.ca>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/1-F6j-ouitgcWscQFz3zcZbGHfg>
Subject: Re: [dane] provisioning assumptions, was PGP security models, was Summary
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 20:11:49 -0000
>The other common use problem is not being able to delete keys, so you end >up using a keyserver, get a (verified by WoT) key and then in response >you get a plaintext message saying "I forgot my passphrase so i cannot >delete/revoke my old key". With DNS, you can remove the key from DNS >without needing the private key or passphrase to it. There's a whole bunch of unsupported assumptions here about how mail and DNS provisioning systems work. While there's often a way to recover your account if you lose your password, at large mail systems they don't work very well, particularly if the account's been compromised and taken over by a bad guy, which happens thousands of times a day. (I know people at Yahoo whose full time jobs are to deal with this.) Even without a compromise, it's often more hassle than it's worth to recover the account, so you create a new one and the old one sits there unused--that's why I'm jrlevine2@yahoo.com rather than jrlevine. Also, this introduces a downgrade attack. User creates a key, gets lots of WoT signatures, publishes it through key servers and DANE. Bad guy takes over the account, publishes a new key with no signatures. According to sec 5.2 of the draft, a mail sender looks up the key, finds they disagree, and the verification fails. Now what? The draft suggests dumping the question on the MUA user, which we know is never a good idea. As likely as not a naive user would pick the newer key, the one that says "USE THIS KEY OLD ONE WAS STOLEN." Finally, if the problem with existing key servers is that they won't delete dead keys, that does not strike me as an insoluble problem. Talk to the people who run them, suggest they add an "it's dead" button that sends a confirmation message to the address in the key and when confirmed, deletes the key. The security risk is small, it is just as secure as the DANE approach (with the advantage that existing PGP clients work unchanged), and we're all done. R's, John
- Re: [dane] Summary of IETF LC for draft-ietf-dane… Viktor Dukhovni
- Re: [dane] PGP security models, was Summary of IE… John Levine
- Re: [dane] PGP security models, was Summary of IE… Paul Wouters
- Re: [dane] PGP security models, was Summary of IE… manning
- Re: [dane] PGP security models, was Summary of IE… manning
- Re: [dane] PGP security models, was Summary of IE… Scott Kitterman
- Re: [dane] PGP security models, was Summary of IE… John C Klensin
- Re: [dane] PGP security models, was Summary of IE… Joe Abley
- Re: [dane] PGP security models, was Summary of IE… Paul Wouters
- Re: [dane] provisioning assumptions, was PGP secu… John Levine
- Re: [dane] provisioning assumptions, was PGP secu… Paul Wouters
- Re: [dane] PGP security models, was Summary of IE… Randy Bush
- Re: [dane] PGP security models, was Summary of IE… Viktor Dukhovni
- Re: [dane] PGP security models, was Summary of IE… Randy Bush
- Re: [dane] PGP security models, was Summary of IE… Sam Hartman
- Re: [dane] PGP security models, was Summary of IE… Dave Crocker
- Re: [dane] PGP security models, was Summary of IE… Paul Wouters
- Re: [dane] PGP security models, was Summary of IE… Sam Hartman
- Re: [dane] PGP security models, was Summary of IE… Dave Crocker