[dane] HTTPS everywhere question --- donated mirrors
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 04 June 2015 19:56 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05D301A907F; Thu, 4 Jun 2015 12:56:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.012
X-Spam-Level:
X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtWHPnwmXi2j; Thu, 4 Jun 2015 12:56:12 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C775C1A0018; Thu, 4 Jun 2015 12:56:11 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id BE31D20098; Thu, 4 Jun 2015 16:10:11 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 8430463AEC; Thu, 4 Jun 2015 15:56:09 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 6ADAF637FE; Thu, 4 Jun 2015 15:56:09 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: saag@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.3-dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Thu, 04 Jun 2015 15:56:09 -0400
Message-ID: <15980.1433447769@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/6VlUyAhzbjJfF4tYvVpimhxhuKs>
X-Mailman-Approved-At: Thu, 04 Jun 2015 13:02:12 -0700
Cc: dane@ietf.org
Subject: [dane] HTTPS everywhere question --- donated mirrors
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 19:56:18 -0000
So you may know I mismanage www.tcpdump.org. We have a half-dozen mirrors of the site (and code) around the world, all of them donated. 100M of disk space or something... Most answer to www.tcpdump.org as a virtual host, some have their own URLs. HTTP based virtual hosting is simple and cheap, and anyone can put up a mirror using rsync, and then I put the A and AAAA records in along with an extra name like www.us.tcpdump.org (hosted by wireshark). Now, www.us.tcpdump.org shares a host with www.wireshark.org, and https://www.wireshark.org also exists, and my impression is that some browsers are now doing things like trying port-443, and if it works, assuming that the same content is there. (No, you can't exactly try, because I pulled that IP from www.tcpdump.org pending resolution) Let's assume that I want to make this true (that www.tcpdump.org is https-everywhere), we need at a minimum, universal SNI or I need to enable this only when there is a unique v6 (because v4 is too scarce) available. Okay, that solves the VirtualHost issue... but it seems that I still have a certificate and private key issue. I could buy certificates for all sites, or... ? is there some technology I've missed? I could go DANE with self-signed certificates, which has some advantage. In theory, one could have a dozen TLSA RR in DNS, and fortunately they won't clog up the apex; but in practice are browsers that support DANE smart enough at this point to search all the records? Going DANE assumes browsers new enough to do SNI, which I guess is good. I wish we had signed HTTP objects instead, so that I could just sign the web site *contents*, and let the content distribution systems do their job, and let me do mine. (hey, the entire http site contents is also on github) Privacy could be machine to machine, while authentication be browser to web site owner... {I'm allowed to dream, aren't I?} I know that we have this issue with SMTP pointing MX records for example.com at ISP mail.example.net, and the names not matching, and I guess we are doing something there. Am I missing some piece of the puzzle? Some contemplated aspect of TLSA which might let me say, "www.wireshark.org is an allowed name for www.tcpdump.org"?? -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [dane] HTTPS everywhere question --- donated mirr… Michael Richardson
- Re: [dane] HTTPS everywhere question --- donated … James Cloos
- Re: [dane] [saag] HTTPS everywhere question --- d… Martin Thomson
- Re: [dane] HTTPS everywhere question --- donated … Viktor Dukhovni