IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Martin Rex <mrex@sap.com> Fri, 04 May 2012 19:02 UTC

Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A321D21F8438 for <dane@ietfa.amsl.com>; Fri, 4 May 2012 12:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.06
X-Spam-Level:
X-Spam-Status: No, score=-10.06 tagged_above=-999 required=5 tests=[AWL=0.189, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q+ar3sd6gx+Z for <dane@ietfa.amsl.com>; Fri, 4 May 2012 12:02:19 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 0F3F721F8421 for <dane@ietf.org>; Fri, 4 May 2012 12:02:18 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q44J2HEa001890 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 May 2012 21:02:17 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201205041902.q44J2B3F018135@fs4113.wdf.sap.corp>
To: ekr@rtfm.com (Eric Rescorla)
Date: Fri, 4 May 2012 21:02:11 +0200 (MEST)
In-Reply-To: <CABcZeBP2iRLa76rSXu4A0OwFxP=tqK1ShZ6wv=6wnaEC6uad+w@mail.gmail.com> from "Eric Rescorla" at May 4, 12 09:08:53 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 19:02:26 -0000

Eric Rescorla wrote:
> 
> Before we discuss how to proceed, I think it would be useful to get
> agreement on the security analysis.

Analysis (about what the attacker could do) is correct, but ...

>
> I claim that for Usages 0 and 1, treating TLSA non-response as if no
> TLSA records exist means that DANE adds minmal/no security value for
> those usages. If people disagree with that,

I do not fully agree to the conclusion.
With the exact same logic, when comparing DV-certs to EV-certs, you
could say that EV-certs add minimal/no security value.

I believe it is OK for DANE to be a building block for security,
rather than a security silver bullet (something I believe doesn't exist).

What value is offered depends entirely on whether you use that extra
information of entirely ignore it.  If it's ignored, then there is
no value, and that should not come as a surprise.

Web Browsers provide visual cues to differentiate DV/EV-certs (since
very few users look at the certificate details. 

Another possibility (previously mentioned) would be to get rid of
the PKIX-style Alzheimer approach to security and memorize characteristics
from previous encounters with peers an reuse those memories on
re-encounters, similar to how evolution taught mammals develop
trust relationships.


Any new IETF protocol that treats smooth migration of the
installed base as serious and important as IPv6 does it for users
of IPv4, will see a similarly rapid migration&adoption of the
technology by consumers that IPv6 has been seeing over the last decade.


-Martin

v2.8.7 | Report a Bug | By Email