IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Eric Rescorla <ekr@rtfm.com> Fri, 04 May 2012 16:09 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715FA11E808A for <dane@ietfa.amsl.com>; Fri, 4 May 2012 09:09:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.865
X-Spam-Level:
X-Spam-Status: No, score=-102.865 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBczT2mDM3P8 for <dane@ietfa.amsl.com>; Fri, 4 May 2012 09:09:43 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 46C7021F8713 for <dane@ietf.org>; Fri, 4 May 2012 09:09:35 -0700 (PDT)
Received: by vcbfo1 with SMTP id fo1so2575194vcb.31 for <dane@ietf.org>; Fri, 04 May 2012 09:09:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=IrW3Jq95Wrqk2D+r0uirXXdRuc41B5B/gJvP3JCYwYM=; b=WLQKjpgiyKpWLcZRNgPOqDaZpwWgcYc0DzTn6p3GS8xX8K8dk46DCozwcs8m4pj8ck jf0LRiLysyweW+DZp6OHkRrgKWRkdcWOtHNWLeYhZ1dSbeONVvYptoAUxqpyiJZs6bR8 cljpJs/mqp26yKBmDp5AUyFfLC84RGq8uPqxXiv40S+IaVUQSChdsWKKm+5XG7JQ5VZt T7ZRScR1SSKxVhSWUiEnM3o2SnnbLpimOt83FP/UbrTlgY9R5F3E4dKTwoMrNb7JJQhy 7wm+/iCReEfHw7W4LSAKtm5+V8q8o1TDN2bEvw2Amb5cI2YbHI+Kq5tslQHLQyewabio Pn/Q==
Received: by 10.220.141.79 with SMTP id l15mr4204935vcu.48.1336147774778; Fri, 04 May 2012 09:09:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.19.233 with HTTP; Fri, 4 May 2012 09:08:53 -0700 (PDT)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <3FF36EBA-F8B1-4D66-BA00-E8E36A7E449D@kumari.net>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org> <20120503223745.GC1804@mail.yitter.info> <CABcZeBMFV8oiZJfAY1fZ_0bBQWa=q6aBL65AS+W5gBuKmPnwOg@mail.gmail.com> <20120504021044.GB4560@mail.yitter.info> <B25C977F-6B4E-458C-879D-A36EDB94DA75@icsi.berkeley.edu> <20120504023602.GA4683@mail.yitter.info> <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com> <20120504112922.GB4929@mail.yitter.info> <CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com> <20120504144426.GD4929@mail.yitter.info> <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com> <3FF36EBA-F8B1-4D66-BA00-E8E36A7E449D@kumari.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 4 May 2012 09:08:53 -0700
Message-ID: <CABcZeBP2iRLa76rSXu4A0OwFxP=tqK1ShZ6wv=6wnaEC6uad+w@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQny+dkPMmgo7pis8Hd842iJ7E2eaQ8FJucfEcx4zHE5bpwqgPsByGJpmzFpNV7MniYdIX3+
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 16:09:44 -0000

On Fri, May 4, 2012 at 8:57 AM, Warren Kumari <warren@kumari.net> wrote:
> <chair hat>
>
> Hi there all,
>
> First off, thanks for keeping this civil. This is an important issue (and one that we've skirted around in the past..), lets try and prevent it becoming contentions as well :-)
>
> So, it seems (to me!) that both Eric and Andrew have perfectly sane and defendable positions, but diametrically opposed.
> This is (IMO) something that we are going to have to resolve before this is published, so I am asking our AD to consider holding off...
>
>
> </chair hat>
>
> So, how does the WG feel about a knob that can be turned to choose behavior? Something that can be set for the less secure manner for now, and then (the default) changed later?
> Security conscious / at risk folk would be able to turn the knob now...
>
> Worst idea ever?

Before we discuss how to proceed, I think it would be useful to get agreement
on the security analysis. I claim that for Usages 0 and 1, treating
TLSA non-response
as if no TLSA records exist means that DANE adds minmal/no security
value for those
usages. If people disagree with that, I would like to hear someone describe
a threat model under which DANE with this policy would prevent attacks
that would otherwise succeed.

Until we agree on that, I don't think there's much point in discussing what the
document ought to say.

-Ekr

v2.8.7 | Report a Bug | By Email