Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"

Richard Barnes <rbarnes@bbn.com> Tue, 25 September 2012 16:33 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C9CE21F878E for <dane@ietfa.amsl.com>; Tue, 25 Sep 2012 09:33:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.767
X-Spam-Level:
X-Spam-Status: No, score=-106.767 tagged_above=-999 required=5 tests=[AWL=-0.169, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IfXOos9b0r5l for <dane@ietfa.amsl.com>; Tue, 25 Sep 2012 09:33:10 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id BC9D421F8789 for <dane@ietf.org>; Tue, 25 Sep 2012 09:33:10 -0700 (PDT)
Received: from [128.89.255.234] (port=54502) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1TGY4G-000BdD-SV; Tue, 25 Sep 2012 12:33:05 -0400
Date: Tue, 25 Sep 2012 18:33:03 +0200
From: Richard Barnes <rbarnes@bbn.com>
To: Ben Laurie <benl@google.com>
Message-ID: <57E1740259854F1E8FE25498CF8B1049@bbn.com>
In-Reply-To: <CABrd9SQ2sr3V=Sh9L50CAww=OjCsKr4W+tbRGqr_8a_eFggz5g@mail.gmail.com>
References: <BCDB44B9-6AB0-4230-B1EF-FDDB37C77F38@kumari.net> <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <FDF36968-FBDA-4C73-BB46-04DFD818DA11@bblfish.net> <5061C39E.1070901@bbn.com> <C32F039B-45FF-4655-81B1-F64CF92883D9@bblfish.net> <CABrd9SQXREGByK=M4g62VkFXQVn2nv58FymqVrOO9FTXkHxGNg@mail.gmail.com> <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> <CABrd9SQ2sr3V=Sh9L50CAww=OjCsKr4W+tbRGqr_8a_eFggz5g@mail.gmail.com>
X-Mailer: sparrow 1.6.3 (build 1172)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="5061dcbf_1afe3625_7b3"
Cc: dane@ietf.org
Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 16:33:11 -0000

On Tuesday, September 25, 2012 at 6:12 PM, Ben Laurie wrote:
> On 25 September 2012 17:06, Henry Story <henry.story@bblfish.net (mailto:henry.story@bblfish.net)> wrote:
> >  
> > On 25 Sep 2012, at 17:45, Ben Laurie <benl@google.com (mailto:benl@google.com)> wrote:
> >  
> > > On 25 September 2012 16:07, Henry Story <henry.story@bblfish.net (mailto:henry.story@bblfish.net)> wrote:
> > > >  
> > > > On 25 Sep 2012, at 16:45, Stephen Kent <kent@bbn.com (mailto:kent@bbn.com)> wrote:
> > > >  
> > > > > Henry,
> > > > >  
> > > > > > > WebID is not in the charter for this WG. If you want to discuss S/MIME and WebID, you are free to do so elsewhere, of course. There is no need for you to Cc this WG on that work.
> > > > > > Neither I suppose is TLS, or MIME btw, or many other standards that are discussed on this list. But knowing that they exist has always been important to IETF practice. It's called: not re-inventing the wheel. But I see you have a problem with that. Sorry to have hurt your feelings.
> > > > > >  
> > > > >  
> > > > > If you were to read the DANE charter (https://datatracker.ietf.org/wg/dane/charter/)
> > > > > you would see that TLS is cited 5 times, so your supposition above is wrong with regard to
> > > > > its first assertion.
> > > > >  
> > > >  
> > > >  
> > > > Thanks. But not MIME - So the point holds well enough :-)
> > > >  
> > > > Anyway, the webid spec
> > > >  
> > > > http://www.w3.org/2005/Incubator/webid/spec/
> > > >  
> > > > also is very clearly tied to TLS, and would benefit a lot from DANE being deployed. So my interest in DANE is not a side issue. The strongest pushback against WebID ( and so using client certificates ) is the cost of server certificates for most players.
> > >  
> > > You mean people who aren't using HTTPS to secure logins care about WebID?
> >  
> > People who are not using HTTPS to secure logins won't have very secure logins (even passwords require protection). I am speaking about pushback from people who are serious about security (not counting the TOR type super security folks - but I will show that WebID works there too).
> >  
> > >  
> > > > ( the next strongest is the inability to logout from all but Firefox browsers )
> > >  
> > > Am I really the only one who cares about usability?
> >  
> > Firefox usability (of client certs) sucks. All the others are pretty good, and could easily be made better by a little work from the browser vendors. I demonstrate that very clearly in the video on http://webid.info/ . Now why browser vendors like Firefox don't do the few weeks work to get useability working is beyond me. I think it is partly because they don't understand how useable they could make client certificates with WebID.
>  
> Sigh. Why do I have to go over this every time? Usability in the
> browser is only part of the problem, the rest are things like moving
> between machines, dealing with revocation, migrating existing accounts
> and so on.
>  
>  

… none of which are germane to DANE.

--Richard