Re: [dane] List of incidents that DANE would have blocked?
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 02 October 2014 16:15 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9551A877D for <dane@ietfa.amsl.com>; Thu, 2 Oct 2014 09:15:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ZjHOTtr4_yG for <dane@ietfa.amsl.com>; Thu, 2 Oct 2014 09:15:50 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63BA31A1A92 for <dane@ietf.org>; Thu, 2 Oct 2014 09:15:48 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 717972AB2A7; Thu, 2 Oct 2014 16:15:41 +0000 (UTC)
Date: Thu, 02 Oct 2014 16:15:41 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141002161541.GE13254@mournblade.imrryr.org>
References: <DD18BA26-107D-4584-ACDE-131DD3D45AE6@mac.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DD18BA26-107D-4584-ACDE-131DD3D45AE6@mac.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/hs0o8lhxbXP8s67MtzzUnLvGel0
Subject: Re: [dane] List of incidents that DANE would have blocked?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 16:15:55 -0000
On Wed, Oct 01, 2014 at 09:37:08AM -0700, William Stouder-Studenmund wrote: > Making a case for DANE means making a case for DNSSEC. Yes. > I get that DANE can detect a large class of MITM attacks. No, DANE can public associations between service end-points and public key material. Protecting against MITM attacks is a matter for the protocols that use that key material. DNSSEC hardens the lookups of that key material against MITM attacks. > Saying that > isn't as convincing as handing over a list of, "DANE is designed to stop > this, DANE would have stopped that one," and so on. DANE can enable opportunistic security protocol designs that are capable of resisting MITM attacks. This is in use with SMTP and XMPP. DANE for the web is some time away. None of the browsers are planning DANE support at this time. My hope is that at some point in the future the new "h2" URI scheme will support opportunistic DANE TLS, rather than just opportunistic unauthenticated encryption. DANE replacing public CAs with "https" seems unlikely so long as there is perceived value in "EV" certificates. -- Viktor.
- [dane] List of incidents that DANE would have blo… William Stouder-Studenmund
- Re: [dane] List of incidents that DANE would have… Olafur Gudmundsson
- Re: [dane] List of incidents that DANE would have… Viktor Dukhovni
- Re: [dane] List of incidents that DANE would have… William Stouder-Studenmund
- Re: [dane] List of incidents that DANE would have… William Stouder-Studenmund
- Re: [dane] List of incidents that DANE would have… Rene Bartsch
- Re: [dane] List of incidents that DANE would have… Warren Kumari