Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns
"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Wed, 03 November 2010 19:15 UTC
Return-Path: <jwkckid1@ix.netcom.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E7C753A68F0 for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 12:15:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86mcXwVfUkHG for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 12:15:20 -0700 (PDT)
Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by core3.amsl.com (Postfix) with ESMTP id 073223A68BE for <keyassure@ietf.org>; Wed, 3 Nov 2010 12:15:19 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=WPMVVObrlA7Diqx65MC9us1Xlh9KxFPI5pC4WVliIgQp+MqVK3yQShNTcuHoNPAF; h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.35] (helo=elwamui-huard.atl.sa.earthlink.net) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1PDinu-0007TM-R3 for keyassure@ietf.org; Wed, 03 Nov 2010 15:15:26 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Wed, 3 Nov 2010 15:15:26 -0400
Message-ID: <13301641.1288811726531.JavaMail.root@elwamui-huard.atl.sa.earthlink.net>
Date: Wed, 03 Nov 2010 14:15:26 -0500
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: "keyassure@ietf.org" <keyassure@ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688f6797967d839d80c6a7b17d84c1bc5ad350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.35
Subject: Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2010 19:15:22 -0000
Ilari and all, -----Original Message----- >From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi> >Sent: Nov 3, 2010 1:55 PM >To: Phillip Hallam-Baker <hallam@gmail.com> >Cc: Tony Finch <dot@dotat.at>, keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org> >Subject: Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns > >On Wed, Nov 03, 2010 at 01:14:11PM -0400, Phillip Hallam-Baker wrote: >> >> There are certainly issues that arise with prefixes as I mentioned in >> my other post. But they are tractable provided that: >> >> 1) You are prepared to allow an additional DNS round trip. >> 2) You are prepared to introduce a new DNS RR. > >Considering the adoption of CERT RR, CERT RR can almost be treated as >new RR. > >And there's a diffrence between having to serialize the query and >firing off the query in parallel with some other qurey one would have >to do anyway. > >> We have to keep an eye on efficiency, but anything we do here is going >> to depend on deployment of new DNS support infrastructure and require >> transport that supports new RRs. > >Well, there's RFC 3597. But of course, new RRs (even if RFC 3597-compliant) >have issues with adminstration. > >> Certificates typically bind to an entire domain. > >They may, or they may not. Some services use certificates in bizarre >manner and can't share them with anything. > >> Statements concerning configuration of a security policy naturally >> bind to a specific service at a domain. > >If you think HSTS is good example of security policy, consider that >HSTS is really a special kind of protcol-level redirect and is only >well-defined because of interactions between HSTS spec and HTTPS >spec. > >That's why I think that records specifying secure equivalent of service >must specify where to locate the service and how to connect to it >(there are essentially two ways). > >> When we start to look at the consequences of outsourcing, the fact >> that I have outsourced my Web site to outsource.net does not >> necessarily mean I want to trust them with my mail service so maybe >> the assumption that certificates are global to a domain also starts to >> break down. > >Actually, HTTP is just about the worst in this regard since it does >not support any kind of protocol-specific redirect from DNS. Yes, it >supports CNAME, but CNAME isn't prtocol-specific. > >SMTP has MX records, many protocols have SRV, but HTTP does not have >anything like that. > >> So I am thinking that we are going to end up with a requirement for >> protocol specific key assurance. > >Actually, at key assurance level, port numbers/services only matter >if you can partition port numbers/services (which might not be >possible) or if you have services with different security levels on >one name (to prevent attacking higher-security services using stolen >key from lower-security service). My take is that this all gets back to getting the CA's cleaned up if possible AND eliminating the COI in respect to some few CA's also being trust anchors. Becaues if a key is presented from a lower-security service that is a qualified CA and perhaps a Trust Anchor as well, you end up with a obvious problem that is difficult to actually solve. > >-Ilari >_______________________________________________ >keyassure mailing list >keyassure@ietf.org >https://www.ietf.org/mailman/listinfo/keyassure Regards, Jeffrey A. Williams "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 Network Eng. SR. Eng. Network data security ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com Phone: 214-244-4827
- Re: [keyassure] PKIX/KIDNS validation results and… Matt McCutchen
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… James Cloos
- Re: [keyassure] PKIX/KIDNS validation results and… James Cloos
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Steve Schultze
- Re: [keyassure] PKIX/KIDNS validation results and… Ilari Liusvaara
- Re: [keyassure] PKIX/KIDNS validation results and… Warren Kumari
- Re: [keyassure] PKIX/KIDNS validation results and… Warren Kumari
- Re: [keyassure] PKIX/KIDNS validation results and… Ilari Liusvaara
- Re: [keyassure] PKIX/KIDNS validation results and… Warren Kumari
- Re: [keyassure] PKIX/KIDNS validation results and… Warren Kumari
- Re: [keyassure] PKIX/KIDNS validation results and… James Cloos
- Re: [keyassure] PKIX/KIDNS validation results and… Ilari Liusvaara
- Re: [keyassure] PKIX/KIDNS validation results and… Matt McCutchen
- Re: [keyassure] PKIX/KIDNS validation results and… Jeffrey A. Williams
- Re: [keyassure] PKIX/KIDNS validation results and… Steve Schultze
- Re: [keyassure] PKIX/KIDNS validation results and… Matt McCutchen
- Re: [keyassure] PKIX/KIDNS validation results and… Matt McCutchen
- Re: [keyassure] PKIX/KIDNS validation results and… Steve Schultze
- Re: [keyassure] PKIX/KIDNS validation results and… Jeffrey A. Williams
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Matt McCutchen
- Re: [keyassure] PKIX/KIDNS validation results and… Jeffrey A. Williams
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Steve Schultze
- Re: [keyassure] PKIX/KIDNS validation results and… Steve Schultze
- Re: [keyassure] PKIX/KIDNS validation results and… Ben Laurie
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Jeffrey A. Williams
- Re: [keyassure] PKIX/KIDNS validation results and… Ben Laurie
- Re: [keyassure] PKIX/KIDNS validation results and… Ben Laurie
- Re: [keyassure] PKIX/KIDNS validation results and… Steve Schultze
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Jeffrey A. Williams
- Re: [keyassure] PKIX/KIDNS validation results and… Paul Hoffman
- Re: [keyassure] PKIX/KIDNS validation results and… Stephen Farrell
- Re: [keyassure] PKIX/KIDNS validation results and… Paul Hoffman
- [keyassure] PKIX/KIDNS validation results and dra… Stephen Schultze
- Re: [keyassure] PKIX/KIDNS validation results and… Olafur Gudmundsson
- Re: [keyassure] PKIX/KIDNS validation results and… Tony Finch
- Re: [keyassure] PKIX/KIDNS validation results and… Tony Finch
- Re: [keyassure] PKIX/KIDNS validation results and Jakob Schlyter
- Re: [keyassure] PKIX/KIDNS validation results and Martin Rex
- Re: [keyassure] PKIX/KIDNS validation results and… Jakob Schlyter
- Re: [keyassure] PKIX/KIDNS validation results and… Jeffrey A. Williams
- Re: [keyassure] PKIX/KIDNS validation results and… Tony Finch
- Re: [keyassure] PKIX/KIDNS validation results and… Ilari Liusvaara
- Re: [keyassure] PKIX/KIDNS validation results and… Paul Hoffman
- Re: [keyassure] PKIX/KIDNS validation results and… Tony Finch
- Re: [keyassure] PKIX/KIDNS validation results and… Paul Hoffman
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Tony Finch
- Re: [keyassure] PKIX/KIDNS validation results and… Tony Finch
- Re: [keyassure] PKIX/KIDNS validation results and… Paul Hoffman
- Re: [keyassure] PKIX/KIDNS validation results and… Tony Finch
- Re: [keyassure] PKIX/KIDNS validation results and… Tony Finch
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Ondřej Surý
- Re: [keyassure] PKIX/KIDNS validation results and… Warren Kumari
- Re: [keyassure] PKIX/KIDNS validation results and… Warren Kumari
- Re: [keyassure] PKIX/KIDNS validation results and… Ondřej Surý
- Re: [keyassure] PKIX/KIDNS validation results and… Ondřej Surý
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Warren Kumari
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Andrew Sullivan
- Re: [keyassure] PKIX/KIDNS validation results and… Jakob Schlyter
- Re: [keyassure] PKIX/KIDNS validation results and… Phillip Hallam-Baker
- Re: [keyassure] PKIX/KIDNS validation results and… Jakob Schlyter