Re: [dane] An AD bit discussion

Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 27 February 2014 04:23 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09BA11A0726 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 20:23:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.758
X-Spam-Level: *
X-Spam-Status: No, score=1.758 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OaKU1Fj1KFPV for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 20:23:44 -0800 (PST)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id D25C21A0246 for <dane@ietf.org>; Wed, 26 Feb 2014 20:23:44 -0800 (PST)
Received: from mx1.yitter.info (c-75-69-155-67.hsd1.nh.comcast.net [75.69.155.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id D5B148A031 for <dane@ietf.org>; Thu, 27 Feb 2014 04:23:42 +0000 (UTC)
Date: Wed, 26 Feb 2014 23:23:35 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dane@ietf.org
Message-ID: <20140227042335.GA1726@mx1.yitter.info>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <m3txbly9ui.fsf@carbon.jhcloos.org> <alpine.LFD.2.10.1402261930400.3528@bofh.nohats.ca> <20140227022347.GC73737@mx1.yitter.info> <20140227031628.B4A1610765F9@rock.dv.isc.org> <20140227034723.GA73861@mx1.yitter.info> <20140227041753.3509810773A8@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140227041753.3509810773A8@rock.dv.isc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/dNNY7f_vtDazemxwMobVISOG2Wo
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 04:23:46 -0000

On Thu, Feb 27, 2014 at 03:17:53PM +1100, Mark Andrews wrote:
> I walk into a coffee shop.  I get a address.  I manage to get IPsec
> running between the server and myself because both ends are configured
> for opportunistic IPsec. 

What does that have to do with the deployment scenario I was asking
about in the Microsoft case, or the one I understood Paul to be asking
about?  Those cases are entirely to do with managed infrastructure,
and the question is, _if_ you have that kind of managed infrastructure
scenario and _if_ you accept that someone could subvert your
management model (but you don't care because if they can do that then
you're screwed anyway), then is there any value in the AD bit?  I
think the answer is, "Maybe," but we're never going to sort that out
if people persist with arguments about scenarios that have nothing to
do with the one under discussion.

Yes, you should not trust the AD bit from random parts of the Internet
or opportunistic IPsec or whatever.  But that's not the case we're
talking about, I think.

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com