Re: [dane] Anyone interested in writing a DANE tutorial?
Christian Heutger <ch@psw.net> Mon, 15 April 2013 14:04 UTC
Return-Path: <ch@psw.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3888C21F93BB for <dane@ietfa.amsl.com>; Mon, 15 Apr 2013 07:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.139
X-Spam-Level:
X-Spam-Status: No, score=-0.139 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RYyFhkAp7U0N for <dane@ietfa.amsl.com>; Mon, 15 Apr 2013 07:04:33 -0700 (PDT)
Received: from vm2710.psw.net (vm2710-2.psw.net [217.24.222.125]) by ietfa.amsl.com (Postfix) with ESMTP id C65D321F93F4 for <dane@ietf.org>; Mon, 15 Apr 2013 07:04:32 -0700 (PDT)
Received: from vm2710.psw.net (localhost [127.0.0.1]) by vm2710.psw.net (Postfix) with ESMTP id B22CA4FE2F; Mon, 15 Apr 2013 16:04:31 +0200 (CEST)
Received: from psw39.psw.net (psw39.psw.net [62.216.172.60]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by vm2710.psw.net (Postfix) with ESMTPS id 2FAE94FE20; Mon, 15 Apr 2013 16:04:31 +0200 (CEST)
Received: from vs34980a.psw.mx (vs34980a.psw.mx [81.20.84.203]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by psw39.psw.net (Postfix) with ESMTP id E4877CE9C0; Mon, 15 Apr 2013 16:04:30 +0200 (CEST)
From: Christian Heutger <ch@psw.net>
To: Sandoche Balakrichenan <sandoche.balakrichenan@nic.fr>, "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] Anyone interested in writing a DANE tutorial?
Thread-Index: AQHOOd50vkgLQHZKjkqJwSDjgjrATJjXUIUA
Date: Mon, 15 Apr 2013 14:04:22 +0000
Message-ID: <CD91D2DE.416D2%ch@psw.mx>
In-Reply-To: <516BFBE9.5010509@hermes.nic.fr>
Accept-Language: de-DE, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.2.130206
X-TBoneOriginalFrom: Christian Heutger <ch@psw.net>
X-TBoneOriginalTo: Sandoche Balakrichenan <sandoche.balakrichenan@nic.fr>, "dane@ietf.org" <dane@ietf.org>
X-TBoneOriginalCC: Niall O'Reilly <Niall.oReilly@ucd.ie>, Phil Regnauld <regnauld@nsrc.org>, "Mohsen.Souissi@afnic.fr" <Mohsen.Souissi@afnic.fr>
X-TBoneDomainSigned: false
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="----F4F8A5A7CE1A8D1F996B2FC740F2843B"
X-Mailman-Approved-At: Mon, 15 Apr 2013 11:07:12 -0700
Cc: "Mohsen.Souissi@afnic.fr" <Mohsen.Souissi@afnic.fr>, Niall O'Reilly <Niall.oReilly@ucd.ie>, Phil Regnauld <regnauld@nsrc.org>
Subject: Re: [dane] Anyone interested in writing a DANE tutorial?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 14:24:28 -0000
Hi, I'm new to this, but doesn't DANE improve the CA trust model instead of replacing it? If the certificate itself is placed in the DNS signed, the IP can't be spoofed, also the certificate can't be spoofed, but the advantages of a third party validating the details of the certificate requester still exist?! In addition, we have a two level trust point: the DNSSEC and the certificate issued by a third party. Meanwhile the DNSSEC signing key can be stolen, as there would be less security than at a WebTrust audited certificate authority, it then also still requires in addition to successfully attack a certificate authority or vice versa, if successfully attacking a certificate authority the DNSSEC also need to be hacked. Just using DANE will result, that it's enough to hack the DNSSEC key and as we got known of recent attacks on companies, that seems to occur more often than successfully attacking a certificate authority. The only successful attack was against DigiNotar, who reacted as the worst in the scene ever. Comodo was "just" a lack of validation through their registry authority scheme, which has been immediately shut down in its recent manner, Trustwaves Sub CA program, which also has been closed down to prevent from such future occurrence. So also the revoke scheme is much easier, as the OCSP and CRL are well established and usually asked for each encrypted site access, by just publishing new DNSSEC records it depends on the caching settings of the DNSSEC resolvers to get aware of a new public key. Regards, Christian Von: Sandoche Balakrichenan <sandoche.balakrichenan@nic.fr<mailto:sandoche.balakrichenan@nic.fr>> Datum: Montag, 15. April 2013 15:08 An: "dane@ietf.org<mailto:dane@ietf.org>" <dane@ietf.org<mailto:dane@ietf.org>> Cc: Niall O'Reilly <Niall.oReilly@ucd.ie<mailto:Niall.oReilly@ucd.ie>>, Phil Regnauld <regnauld@nsrc.org<mailto:regnauld@nsrc.org>>, "Mohsen.Souissi@afnic.fr<mailto:Mohsen.Souissi@afnic.fr>" <Mohsen.Souissi@afnic.fr<mailto:Mohsen.Souissi@afnic.fr>> Betreff: Re: [dane] Anyone interested in writing a DANE tutorial? Hi Dan and all, Even though it took some time, here in i attach a tutorial style document which explains implementing DANE and a Proof of Concept using a browser add-on. In case, if the attached document is interesting, i am ready to maintain it with new add-ons developed for DANE. Thanks for your views and feedback. Regards, Sandoche BALAKRICHENAN On 09/26/2012 08:27 PM, Dan York wrote: On Tue, 25 Sep 2012, Warren Kumari wrote: Something that would be very helpful for getting this deployed / implemented in browsers is number of folk (and more importantly, organizations) stating that they are planning on / would do DANE if the browsers supported it natively. Of course, even more helpful would be folk actually publishing TLSA records :-P To this last point about getting more TLSA records published, would anyone be interested in writing a step-by-step tutorial for how to publish a TLSA record? Or collaborating on writing one? If we had a page that was a simple set of steps it would be something we could pass around and encourage people to consider doing. I'm thinking of something like: Existing certificate: - get a copy of your TLS certificate - generate the appropriate hash using ____ - create a DNS record that looks like "........." - publish record (including DNSSEC signing) and celebrate New certificate - generate a new TLS certificate using ____ - install certificate in your web server (perhaps assume Apache for the tutorial) - generate the appropriate hash using ____ - create a DNS record that looks like "........." - publish record (including DNSSEC signing) and celebrate Now those steps may not be complete... this is just a first thought... and given that I've never deployed a TLSA record (but would like to) I don't know the exact steps. If anyone would be interested in creating something like this, I'd be glad to publish it on our Deploy360 site (with attribution to you and a link to a site) or if you publish it on your site I'd be glad to link to it from Deploy360. Or if you'd like to collaborate with me on writing something, I'd be glad to help with it. Even if someone could sketch out the basic outline of the commands one would use for the steps above, I'd be glad to write some text narrative explaining the commands. Anyone interested? Thanks, Dan -- Dan York dyork@lodestar2.com<mailto:dyork@lodestar2.com> http://www.danyork.me/<http://www.danyork.com/> skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork _______________________________________________ dane mailing list dane@ietf.org<mailto:dane@ietf.org>https://www.ietf.org/mailman/listinfo/dane -- This message was scanned by ESVA and is believed to be clean.
- Re: [dane] Anyone interested in writing a DANE tu… Paul Wouters
- [dane] Anyone interested in writing a DANE tutori… Dan York
- Re: [dane] Anyone interested in writing a DANE tu… Pieter Lexis
- Re: [dane] Anyone interested in writing a DANE tu… Dan York
- Re: [dane] Anyone interested in writing a DANE tu… Paul Wouters
- Re: [dane] Anyone interested in writing a DANE tu… Dan York
- Re: [dane] Anyone interested in writing a DANE tu… Dan York
- Re: [dane] Anyone interested in writing a DANE tu… Sandoche Balakrichenan
- Re: [dane] Anyone interested in writing a DANE tu… Christian Heutger
- Re: [dane] Anyone interested in writing a DANE tu… Phil Regnauld
- Re: [dane] Anyone interested in writing a DANE tu… Viktor Dukhovni
- Re: [dane] Anyone interested in writing a DANE tu… Christian Heutger
- Re: [dane] Anyone interested in writing a DANE tu… Sandoche Balakrichenan
- Re: [dane] Anyone interested in writing a DANE tu… Sandoche Balakrichenan
- Re: [dane] Anyone interested in writing a DANE tu… Viktor Dukhovni
- Re: [dane] Anyone interested in writing a DANE tu… Richard Barnes