IETF Logo Mail Archive

Re: [dane] Classic PKI and DANE in harmony

Ben Laurie <benl@google.com> Fri, 14 June 2013 13:12 UTC

Return-Path: <benl@google.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA58C21F9CA7 for <dane@ietfa.amsl.com>; Fri, 14 Jun 2013 06:12:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DrJqweLmUDL5 for <dane@ietfa.amsl.com>; Fri, 14 Jun 2013 06:12:04 -0700 (PDT)
Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id BC70121F9C89 for <dane@ietf.org>; Fri, 14 Jun 2013 06:12:04 -0700 (PDT)
Received: by mail-ie0-f179.google.com with SMTP id c10so1392188ieb.10 for <dane@ietf.org>; Fri, 14 Jun 2013 06:12:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EiMhP0QhinaIQVILW7+FM2xyKdpevKTz7f1A8rtt4vk=; b=FznsCyOodqeZO8MxgiUatusw0eQysJ8lTiXuExu88XJmpJZwDW6ONhecYURuRFeB/I cWHZ8YdUFj12YMVoteU+Temm2lgnPObFYMJ3LW1xR07zACijaa5o9SOqsFyV0Llx3gzg WD16U7pGBFtsskQ2Xrq5aGcUf5yaxiyB3FPxVgHdwacmlCgrOsQyCsOdj2EU0WX1vB0G Oae1QHe2JASA0te8YTcy2cVEEog8J61wVmv8PQ4BFEbLm8+N8iZlA3fnjnNArV1yn85/ owevGVfjPrhk0RMNAAeAvLxV8FGPPBraMFElY54mjhOd8aQSL6Fdi1NnCY8nU4uwo3F3 hHug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=EiMhP0QhinaIQVILW7+FM2xyKdpevKTz7f1A8rtt4vk=; b=gfWE5qly9bwYWLwf07Gi1Lz4QFkGt5UN2T/g0lysiKqFsRHcp04kfIAKKUSRgAaofO HcuZnjWutAaPKossySXyEuv8O8rHGI47+xDuFoiBzc641IgTpGYWXlsbhllw73uT4fLT l51GHBBCEQy0OsTr6v9KlnEE8lMI8oiAfly0uCqhvXdZ1cLT04MBQdVviLBZ3SOGYo1d +9upThmol0zm5lpbtguv2BVdUSFvzhZ9/VCR+zDFRlD9GXvdN0iPLkKDN+FOBzaCX55b t5eLfQY9WFh3oXSlC5xvYLvWwJYfXwX2PKJN1afJTYfFYY837G8Tyok5bJUOHa3w3h+h zwyg==
MIME-Version: 1.0
X-Received: by 10.50.153.113 with SMTP id vf17mr977509igb.101.1371215524233; Fri, 14 Jun 2013 06:12:04 -0700 (PDT)
Received: by 10.64.42.72 with HTTP; Fri, 14 Jun 2013 06:12:04 -0700 (PDT)
In-Reply-To: <CAMm+Lwh3es-ZCx4Gtec8bqS4=7zucL-c4qY7rJcsUQkWZgNviQ@mail.gmail.com>
References: <CDCC1183.46C6E%ch@psw.mx> <20130529184555.GY9380@mournblade.imrryr.org> <544B0DD62A64C1448B2DA253C011414607ACD1048F@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CA8EBB16-E886-41AB-A7A0-0B02C13062ED@kirei.se> <5B925F3A-B122-469D-97F5-7DF8A2262795@kumari.net> <CABrd9SQ_ggTf5MbZq1OePq_DtMxNysYHAouBwz-Dx7gu-ihqEQ@mail.gmail.com> <69DCBEB1-396E-4EDF-A86B-CB2483CAD094@NLnetLabs.nl> <CABrd9SQmM6tjVXcdj7bCE4wwFAv0C67EtGAP4TMA53pHkK87kA@mail.gmail.com> <20130530151810.GD9380@mournblade.imrryr.org> <CABrd9SRbr4eN=XabNHX44Aw=bPpu__CXqgdDay148W0jLcXsCg@mail.gmail.com> <20130530155539.GG9380@mournblade.imrryr.org> <CABrd9STiPkg1SmwrvcQWDv=4j=UB1SR0_Fvg=-4+YwTGZeQdrw@mail.gmail.com> <CAMm+LwiU2SK95r=4Pn+3ezcoZnJThxhg1C6W2dtKqYMMe8s4Gg@mail.gmail.com> <CABrd9SR05yn_G2QPZqFphRMYHOeFz=gvtLFR0Sap-ddY+rgcVw@mail.gmail.com> <CAMm+LwhRGybyd5v2p_tOV6ZUzZHbF=CR93NRmvU3yJ=Lw8TXUA@mail.gmail.com> <CABrd9SSoaSt-U+xJp62Qa-CxPf+OtF3QgMzh64hqOna7u-1Brw@mail.gmail.com> <CAMm+Lwjwfs86qHaK1+Z++KYvZv9PLTbRNf+g7av+QPf=jCqeGg@mail.gmail.com> <CABrd9STYStxiZVTE3zpS_846xr8F6B3xyPEJi9JPsMzN59N9cg@mail.gmail.com> <CAMm+Lwh3es-ZCx4Gtec8bqS4=7zucL-c4qY7rJcsUQkWZgNviQ@mail.gmail.com>
Date: Fri, 14 Jun 2013 14:12:04 +0100
Message-ID: <CABrd9STzNVG_5Lz8r4zhBr5GeSNH=crr++hg6YMFLqY=A9dmPg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQmKSmToQ+DIjHOqLy5iLG1JKdqLHwUqe4LlLDPn07GoJ+GRcNx5id8v4LYy8SVoZAbEkqvbMoGzQ+sTQckvZiFm//zzOFVr6qSPVtwZtYAMz7lz5x1gM7AukJHH+DkNYGObKkvTpp6lekjJgVgeVbl3BCw52Kmhx0I0GI6qpxPqX/CvqYn8f3mXWLIaVHz0hF3lz2tY
Cc: IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Classic PKI and DANE in harmony
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2013 13:12:05 -0000

On 13 June 2013 20:38, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> On Wed, Jun 12, 2013 at 9:08 AM, Ben Laurie <benl@google.com> wrote:
>>
>> On 12 June 2013 13:31, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>>
>> > A second advantage is that it enables discretion. Any security check
>> > that
>> > you implement in the browser has to be reduced to a set of codified,
>> > completely standard rules. The spam filtering companies don't take that
>> > approach, they have a more tactical scheme making use of heuristic data
>> > and
>> > actively change their strategy in response to changes in opposition
>> > tactics.
>>
>> Fair points. I note, though, that you still end up configuring every
>> light bulb...
>
>
> I do that once and the protocol allows the configuration to be done with a
> smart phone with a QR code reader capability:
>
> http://tools.ietf.org/html/draft-hallambaker-wsconnect-02
>
> I don't think it is practical to expect a light bulb to have a full IP stack
> let alone DANE. but it is possible for them to consume DANE and PKIX trust
> assertions if there is a secure way to delegate those choices to another
> device.
>
> More likely the light bulb is plugging into some low bandwidth, short range
> wireless network. So what you would want is not connecting to Omnibroker but
> some sort of general 'home automation' center that will tell the lightbulb
> how and where to plug into the local site infrastructure.
>
> After realizing that I chopped the Omnibroker protocol into two parts. The
> difficult design decisions are all in the JSON Connect (JCX) Web Service
> which makes it easy to establish that initial authenticated connection to a
> trusted Web Service (which can be of any type at all). Omnibroker is then
> simply one protocol that makes use of JCX to establish the long term trust
> connection.
>
>
>> > The broker can be required to hand over all the data used to make its
>> > decision.
>>
>> Not much use if the client can't check it? The advantage of a CT (or
>> RT)-like scheme is that anyone can check it, and all the client needs
>> to be able to do is check consistency...
>
>
> Come on, you point out yourself that you only need a handful of browsers to
> perform CT checking in order for CT to be largely effective at detecting a
> major CA breach.

That is only true because anyone can check that CT is behaving itself.
So far, it seems Omnibroker can safely lie to selected clients with no
risk of detection.

> People who don't trust their broker can run a browser that revalidates the
> chains locally. But as we all know, even a browser with local DNSSEC
> validation is going to sometimes need help making sure it gets DNSSEC data
> to work from. So running the omnibroker just as a path discovery agent is
> still valuable.
>
> But for the general consumer, they actually trust us to decide what programs
> run on their machines at all. CertSentry, the Comodo Ombinbroker-like
> application is currently bundled on the anti-virus product. The expectation
> is that that Omnibroker will eventually replace the proprietary protocol in
> CertSentry 1.0 to power the next generation.
>
>
> --
> Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email