Re: [dane] Draft for serializing DNSSEC chains
Eric Osterweil <eosterweil@verisign.com> Thu, 07 July 2011 21:35 UTC
Return-Path: <eosterweil@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4967221F8837 for <dane@ietfa.amsl.com>; Thu, 7 Jul 2011 14:35:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.434
X-Spam-Level:
X-Spam-Status: No, score=-6.434 tagged_above=-999 required=5 tests=[AWL=0.164, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2tx4gE5FoNw for <dane@ietfa.amsl.com>; Thu, 7 Jul 2011 14:35:33 -0700 (PDT)
Received: from exprod6og106.obsmtp.com (exprod6og106.obsmtp.com [64.18.1.191]) by ietfa.amsl.com (Postfix) with ESMTP id EF9F421F8834 for <dane@ietf.org>; Thu, 7 Jul 2011 14:35:30 -0700 (PDT)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob106.postini.com ([64.18.5.12]) with SMTP ID DSNKThYmnA9YpIXHBSTmpEB/zRl7gzZwGXGD@postini.com; Thu, 07 Jul 2011 14:35:32 PDT
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id p67LZNVm029371; Thu, 7 Jul 2011 17:35:23 -0400
Received: from [10.131.30.110] ([10.131.30.110]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 7 Jul 2011 17:35:23 -0400
Message-ID: <4E16269A.30105@verisign.com>
Date: Thu, 07 Jul 2011 17:35:22 -0400
From: Eric Osterweil <eosterweil@verisign.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <201107070137.p671b47i012741@fs4113.wdf.sap.corp> <4E1618C7.7060908@verisign.com> <CAMm+Lwgf+KVUqy-GEy3ECxVB4YjsQ=dBEDDcMyrmyyXuZ_9xjg@mail.gmail.com>
In-Reply-To: <CAMm+Lwgf+KVUqy-GEy3ECxVB4YjsQ=dBEDDcMyrmyyXuZ_9xjg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040406020806070705090504"
X-OriginalArrivalTime: 07 Jul 2011 21:35:23.0194 (UTC) FILETIME=[C71639A0:01CC3CED]
Cc: dane@ietf.org
Subject: Re: [dane] Draft for serializing DNSSEC chains
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2011 21:35:34 -0000
On 7/7/11 5:05 PM, Phillip Hallam-Baker wrote: > On Thu, Jul 7, 2011 at 4:36 PM, Eric Osterweil > <eosterweil@verisign.com <mailto:eosterweil@verisign.com>> wrote: > > On 7/6/11 9:37 PM, Martin Rex wrote: > >> > > (Which raises another point. OCSP stapling uses a TLS >> extension. This >> > > is a more appropriate design than embedding the data in the cert; >> > > additionally, the latter is impossible to do >> backward-compatibly with a >> > > CA-signed cert. >> > >> > OK, so let's discuss this. Are you aware of any operational >> hurdles that >> > may have hampered OCSP (for what it was intended, let alone for >> something >> > new)? >> >> AFAIK, the original TLS extension was a single OCSP response, and >> then >> all CAs added intermediate certs so that a single OCSP response was >> no longer sufficient to validate a server certificate. >> >> The proposal for a new TLS extension to carry more than a single >> OCSP reponse is still an internet draft: >> https://datatracker.ietf.org/doc/draft-pettersen-tls-ext-multiple-ocsp/ >> > > Yes, but are you aware of the _operational_ problems? Is the > distinction between design complexity and operational complexity > not clear? If so, is anyone else on the list concerned? > > > Well if any such problems exist it should be possible to state them > with specificity. Otherwise the assertion is FUD pure and simple. OK. I don't want my concerns on this to be misconstrued as a litany of problems. So, just some "complications" (no judgements), and not intended to be comprehensive: - Does someone need to provision an OCSP server now when they want to use a cert? Large companies (I wonder who would be a good example? :-P ) spend a lot of operational capital provisioning their OCSP services, and pay for it (bandwidth if nothing else). Now web server operators get to do that too. - Now, I can take this new list of OCSP servers as a new attack vector: pop a DNSKEY, DoS an OCSP server, voila... I'm not bagging on OCSP, I'm trying to point out that the protocol is associated w/ real operational overheads and liabilities, and should _not_ be underestimated. > > The distinction between design complexity and operational complexity > was not originally clear because no such distinction had been > proposed. It was only after I pointed out that there are empirical > criteria for design complexity that Matt decided that he was talking > about operational complexity. I think you need to re-read that thread. A late understanding of a point does not imply a correspondingly late assertion of that point. :) > > There are empirical criteria for operational complexity as well: > > * Number of administrative actions required to perform an operation > * Number of independent services that must be configured to achieve an > action > * Dependence on support for specific capabilities in deployed > infrastructure > * State that must be maintained at services More than this. Operations (unfortunately for them) must account for all of the corner cases that were (and were not) foreseen. This is the main reason for the KISS principle that engineers (i.e. us) follow. > > Adam's proposal is better than the previous one on each of these > criteria above. The proposal to use the pickled chain in an OCSP token > is better still. Again, aside from rather obvious layer violations, I still think you are underestimating the points I outlined (even in this email). Eric <bait removed>
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains =JeffH
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Stephen Farrell
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Marc Lampo
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Paul Wouters
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Olafur Gudmundsson
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains John Gilmore
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Jim Schaad
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley