Re: [dane] Draft for serializing DNSSEC chains
"Osterweil, Eric" <eosterweil@verisign.com> Thu, 30 June 2011 15:42 UTC
Return-Path: <eosterweil@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 985F811E8187 for <dane@ietfa.amsl.com>; Thu, 30 Jun 2011 08:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.901
X-Spam-Level:
X-Spam-Status: No, score=-5.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3MQ+u+DUXKm for <dane@ietfa.amsl.com>; Thu, 30 Jun 2011 08:42:47 -0700 (PDT)
Received: from exprod6og113.obsmtp.com (exprod6og113.obsmtp.com [64.18.1.31]) by ietfa.amsl.com (Postfix) with ESMTP id C140011E8185 for <dane@ietf.org>; Thu, 30 Jun 2011 08:42:46 -0700 (PDT)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob113.postini.com ([64.18.5.12]) with SMTP ID DSNKTgyZdYuF24KT52H/RVZuG/maVMVAIilH@postini.com; Thu, 30 Jun 2011 08:42:47 PDT
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id p5UFgiAb001624; Thu, 30 Jun 2011 11:42:44 -0400
Received: from DUL1WNEXMB11.vcorp.ad.vrsn.com ([10.170.13.11]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 30 Jun 2011 11:42:44 -0400
Received: from 10.131.30.110 ([10.131.30.110]) by DUL1WNEXMB11.vcorp.ad.vrsn.com ([10.170.13.11]) with Microsoft Exchange Server HTTP-DAV ; Thu, 30 Jun 2011 15:41:47 +0000
User-Agent: Microsoft-Entourage/12.29.0.110113
Date: Thu, 30 Jun 2011 11:41:47 -0400
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Message-ID: <CA32117B.CE3E%eosterweil@verisign.com>
Thread-Topic: [dane] Draft for serializing DNSSEC chains
Thread-Index: Acw3OsdJNluPaZU8Tt+XduWlVYGxhQAAXETV
In-Reply-To: <BANLkTimUGtWp=sXCbC3HJ+t8FFaAP+0Q4g@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
X-OriginalArrivalTime: 30 Jun 2011 15:42:44.0425 (UTC) FILETIME=[5A960B90:01CC373C]
Cc: Adam Langley <agl@imperialviolet.org>, dane@ietf.org
Subject: Re: [dane] Draft for serializing DNSSEC chains
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2011 15:42:48 -0000
On 6/30/11 11:31 AM, "Phillip Hallam-Baker" <hallam@gmail.com> wrote: > > > On Thu, Jun 30, 2011 at 10:51 AM, Osterweil, Eric <eosterweil@verisign.com> > wrote: >> >> >> >> On 6/28/11 2:22 PM, "Adam Langley" <agl@imperialviolet.org> wrote: >> >>>> As promised. (This is also the format that Chrome is using for it's >>>> DNSSEC stapled certificate support.) >>>> >>>> http://tools.ietf.org/html/draft-agl-dane-serializechain-00 >> >> >> I think I may be missing something here, so can someone clarify the >> following for me: what happens if someone encodes the chain of trust in one >> of these certs, and then the zones in that chain change their keys >> (rollovers, revocations, etc.)? Isn't encoding a dynamic chain of trust in >> a static cert a requirements mismatch? > > I don't understand the problem here. The RSIG values have an absolute validity > interval (i.e. not relative) > > This is a pickled RSIG chain from a specific point in time. It says nothing > about the validity of the chain at any other point in time. > > Unless there is a major flaw in DNSSEC, I can't see where there would be an > issue here. Well if you get a cert, and it says, "I'm valid because the following DNSSE chain is valid," then you are either using THAT chain instead of the current chain of trust (in which case I ask why), or something else that I don't understand. Why are you using a representation of the delegation tree that may not be current anymore? Further, are these certs going to be reissued reliably as the root key changes? I see in the draft that this is (obviously) predicated on trusting a root key, but this value will change (albeit slowly). So, I guess you have to re-encode your cert when the root key rolls? Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains =JeffH
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Stephen Farrell
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Marc Lampo
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Paul Wouters
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Olafur Gudmundsson
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains John Gilmore
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Jim Schaad
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley