Re: [dane] Classic PKI and DANE in harmony
Phillip Hallam-Baker <hallam@gmail.com> Thu, 13 June 2013 19:38 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8397F21F9A88 for <dane@ietfa.amsl.com>; Thu, 13 Jun 2013 12:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IU3Z9k2MRwrH for <dane@ietfa.amsl.com>; Thu, 13 Jun 2013 12:38:33 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 082CC21F9A9F for <dane@ietf.org>; Thu, 13 Jun 2013 12:38:32 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id c10so1306142wiw.4 for <dane@ietf.org>; Thu, 13 Jun 2013 12:38:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jINgk1Gp6U+jVc+xLnj/JZm92SDbZxCYUDl2xdW138U=; b=n6KZEAeC6d5/n0b7JBPa/z7W1NG5vpXnol/Je0kd/Wld4DT/NY2lY9PIkX1/QnVxL/ IZYLcTOtFfGiverAaRnQbfDY/bw5eWvKVzXQ+ci7hJWz9ROX6uissp+BhhJyNeaFlN3l pmMiNz5AkNWXfNYP4jelSqf53f0wQWTFU1eTs88ds89n6Jug6GRiJWipm4gwp8i5paxl 9pea1nAV/LeL+cijeBAjY+W/xUdzbxBTexxLFraGKnmLer0XlU4oRykTIquk2C5WTjpJ nMJm5PQA3PVvkwZ5yFtyHkHF1uB5a51y1MRpJ7VCbDr4bFOfdpqncdgnmBYU9jdICbcn my4A==
MIME-Version: 1.0
X-Received: by 10.180.206.205 with SMTP id lq13mr8453763wic.56.1371152312153; Thu, 13 Jun 2013 12:38:32 -0700 (PDT)
Received: by 10.194.54.10 with HTTP; Thu, 13 Jun 2013 12:38:31 -0700 (PDT)
In-Reply-To: <CABrd9STYStxiZVTE3zpS_846xr8F6B3xyPEJi9JPsMzN59N9cg@mail.gmail.com>
References: <CDCC1183.46C6E%ch@psw.mx> <20130529184555.GY9380@mournblade.imrryr.org> <544B0DD62A64C1448B2DA253C011414607ACD1048F@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CA8EBB16-E886-41AB-A7A0-0B02C13062ED@kirei.se> <5B925F3A-B122-469D-97F5-7DF8A2262795@kumari.net> <CABrd9SQ_ggTf5MbZq1OePq_DtMxNysYHAouBwz-Dx7gu-ihqEQ@mail.gmail.com> <69DCBEB1-396E-4EDF-A86B-CB2483CAD094@NLnetLabs.nl> <CABrd9SQmM6tjVXcdj7bCE4wwFAv0C67EtGAP4TMA53pHkK87kA@mail.gmail.com> <20130530151810.GD9380@mournblade.imrryr.org> <CABrd9SRbr4eN=XabNHX44Aw=bPpu__CXqgdDay148W0jLcXsCg@mail.gmail.com> <20130530155539.GG9380@mournblade.imrryr.org> <CABrd9STiPkg1SmwrvcQWDv=4j=UB1SR0_Fvg=-4+YwTGZeQdrw@mail.gmail.com> <CAMm+LwiU2SK95r=4Pn+3ezcoZnJThxhg1C6W2dtKqYMMe8s4Gg@mail.gmail.com> <CABrd9SR05yn_G2QPZqFphRMYHOeFz=gvtLFR0Sap-ddY+rgcVw@mail.gmail.com> <CAMm+LwhRGybyd5v2p_tOV6ZUzZHbF=CR93NRmvU3yJ=Lw8TXUA@mail.gmail.com> <CABrd9SSoaSt-U+xJp62Qa-CxPf+OtF3QgMzh64hqOna7u-1Brw@mail.gmail.com> <CAMm+Lwjwfs86qHaK1+Z++KYvZv9PLTbRNf+g7av+QPf=jCqeGg@mail.gmail.com> <CABrd9STYStxiZVTE3zpS_846xr8F6B3xyPEJi9JPsMzN59N9cg@mail.gmail.com>
Date: Thu, 13 Jun 2013 15:38:31 -0400
Message-ID: <CAMm+Lwh3es-ZCx4Gtec8bqS4=7zucL-c4qY7rJcsUQkWZgNviQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: multipart/alternative; boundary="001a11c382d47fc14304df0e4665"
Cc: IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Classic PKI and DANE in harmony
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2013 19:38:34 -0000
On Wed, Jun 12, 2013 at 9:08 AM, Ben Laurie <benl@google.com> wrote: > On 12 June 2013 13:31, Phillip Hallam-Baker <hallam@gmail.com> wrote: > > > A second advantage is that it enables discretion. Any security check that > > you implement in the browser has to be reduced to a set of codified, > > completely standard rules. The spam filtering companies don't take that > > approach, they have a more tactical scheme making use of heuristic data > and > > actively change their strategy in response to changes in opposition > tactics. > > Fair points. I note, though, that you still end up configuring every > light bulb... I do that once and the protocol allows the configuration to be done with a smart phone with a QR code reader capability: http://tools.ietf.org/html/draft-hallambaker-wsconnect-02 I don't think it is practical to expect a light bulb to have a full IP stack let alone DANE. but it is possible for them to consume DANE and PKIX trust assertions if there is a secure way to delegate those choices to another device. More likely the light bulb is plugging into some low bandwidth, short range wireless network. So what you would want is not connecting to Omnibroker but some sort of general 'home automation' center that will tell the lightbulb how and where to plug into the local site infrastructure. After realizing that I chopped the Omnibroker protocol into two parts. The difficult design decisions are all in the JSON Connect (JCX) Web Service which makes it easy to establish that initial authenticated connection to a trusted Web Service (which can be of any type at all). Omnibroker is then simply one protocol that makes use of JCX to establish the long term trust connection. > The broker can be required to hand over all the data used to make its > > decision. > > Not much use if the client can't check it? The advantage of a CT (or > RT)-like scheme is that anyone can check it, and all the client needs > to be able to do is check consistency... > Come on, you point out yourself that you only need a handful of browsers to perform CT checking in order for CT to be largely effective at detecting a major CA breach. People who don't trust their broker can run a browser that revalidates the chains locally. But as we all know, even a browser with local DNSSEC validation is going to sometimes need help making sure it gets DNSSEC data to work from. So running the omnibroker just as a path discovery agent is still valuable. But for the general consumer, they actually trust us to decide what programs run on their machines at all. CertSentry, the Comodo Ombinbroker-like application is currently bundled on the anti-virus product. The expectation is that that Omnibroker will eventually replace the proprietary protocol in CertSentry 1.0 to power the next generation. -- Website: http://hallambaker.com/
- [dane] How to use TLSA "2 s m", "3 s m" Bry8 Star
- Re: [dane] How to use TLSA "2 s m", "3 s m" Viktor Dukhovni
- Re: [dane] How to use TLSA "2 s m", "3 s m" Christian Heutger
- Re: [dane] How to use TLSA "2 s m", "3 s m" Viktor Dukhovni
- Re: [dane] How to use TLSA "2 s m", "3 s m" Rick Andrews
- Re: [dane] How to use TLSA "2 s m", "3 s m" Viktor Dukhovni
- [dane] Classic PKI and DANE in harmony Jakob Schlyter
- Re: [dane] Classic PKI and DANE in harmony Christian Heutger
- Re: [dane] Classic PKI and DANE in harmony Olaf Kolkman
- Re: [dane] Classic PKI and DANE in harmony Jakob Schlyter
- Re: [dane] Classic PKI and DANE in harmony Tom Ritter
- Re: [dane] Classic PKI and DANE in harmony Rick Andrews
- Re: [dane] Classic PKI and DANE in harmony Christian Heutger
- Re: [dane] Classic PKI and DANE in harmony Jakob Schlyter
- Re: [dane] Classic PKI and DANE in harmony Warren Kumari
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Olaf Kolkman
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- [dane] TLS and SMTP Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Nicholas Weaver
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Warren Kumari
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony SM
- [dane] DNSSEC-last-mile experience ( Was: Classic… Olaf Kolkman
- Re: [dane] Classic PKI and DANE in harmony Jakob Schlyter
- Re: [dane] Classic PKI and DANE in harmony Phillip Hallam-Baker
- Re: [dane] Classic PKI and DANE in harmony Phillip Hallam-Baker
- Re: [dane] Classic PKI and DANE in harmony Phillip Hallam-Baker
- Re: [dane] Classic PKI and DANE in harmony Guido Witmond
- Re: [dane] Classic PKI and DANE in harmony Jakob Schlyter
- Re: [dane] Classic PKI and DANE in harmony Guido Witmond
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Carl Wallace
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI Problems And DNSSEC based … Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Wes Hardaker
- Re: [dane] Classic PKI and DANE in harmony Wes Hardaker
- Re: [dane] Classic PKI and DANE in harmony Bry8 Star
- Re: [dane] Classic PKI Problems And DNSSEC based … Bry8 Star
- Re: [dane] Classic PKI Problems And DNSSEC based … Yoav Nir
- Re: [dane] Classic PKI and DANE in harmony Jakob Schlyter
- Re: [dane] Classic PKI Problems And DNSSEC based … Bry8 Star
- Re: [dane] Classic PKI and DANE in harmony Phillip Hallam-Baker
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] How to use TLSA "2 s m", "3 s m" Bry8 Star
- Re: [dane] Classic PKI and DANE in harmony Phillip Hallam-Baker
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Phillip Hallam-Baker
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Olaf Kolkman
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie
- Re: [dane] Classic PKI and DANE in harmony Viktor Dukhovni
- Re: [dane] Classic PKI and DANE in harmony Ben Laurie