Re: [dane] Draft for serializing DNSSEC chains
Martin Rex <mrex@sap.com> Thu, 07 July 2011 01:37 UTC
Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C02B421F8783 for <dane@ietfa.amsl.com>; Wed, 6 Jul 2011 18:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.197
X-Spam-Level:
X-Spam-Status: No, score=-10.197 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLABXicF5u42 for <dane@ietfa.amsl.com>; Wed, 6 Jul 2011 18:37:12 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id DFC0521F8780 for <dane@ietf.org>; Wed, 6 Jul 2011 18:37:11 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p671b5fj015888 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 7 Jul 2011 03:37:10 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201107070137.p671b47i012741@fs4113.wdf.sap.corp>
To: eosterweil@verisign.com
Date: Thu, 07 Jul 2011 03:37:04 +0200
In-Reply-To: <CA3A745E.D21B%eosterweil@verisign.com> from "Osterweil, Eric" at Jul 6, 11 08:21:50 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: dane@ietf.org
Subject: Re: [dane] Draft for serializing DNSSEC chains
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2011 01:37:12 -0000
Osterweil, Eric wrote: > > "Matt McCutchen" <matt@mattmccutchen.net> wrote: > > > > DNSSEC RRSIGs are properly analogous to OCSP responses; they provide the > > same functionality. (DNSSEC just skipped the intermediate stage of > > signed long-term certificates because offline operation was not a goal.) > > The motivations and security considerations for DNSSEC chain stapling > > are much the same as those for OCSP stapling. > > Why would you say that? The two protocols are immensely different and they > have much different goals. Please provide details if you feel this is in > err. I agree with Matt (I hadn't noticed he had already suggested this when I wrote my last message). Processing stapled OCSP responses is similar to processing stapled DNSSEC records, although the scope of DANE records is slightly broader than OCSP (because it may include issues server endpoint identification). > > > (Which raises another point. OCSP stapling uses a TLS extension. This > > is a more appropriate design than embedding the data in the cert; > > additionally, the latter is impossible to do backward-compatibly with a > > CA-signed cert. > > OK, so let's discuss this. Are you aware of any operational hurdles that > may have hampered OCSP (for what it was intended, let alone for something > new)? AFAIK, the original TLS extension was a single OCSP response, and then all CAs added intermediate certs so that a single OCSP response was no longer sufficient to validate a server certificate. The proposal for a new TLS extension to carry more than a single OCSP reponse is still an internet draft: https://datatracker.ietf.org/doc/draft-pettersen-tls-ext-multiple-ocsp/ > > > For DNSSEC chain stapling, embedding is possible. > > Chromium may find the ability to use externally automated DNSSEC chain > > stapling with existing web servers to be sufficient justification for > > choosing the poorer design, but does IETF?) > > This will lead to disaster, and opens up new attack vectors. Could you elaborate? I fail to follow. The security design of DANE does not have a dependency on the transport that is used to convey the signed DNS records. Neither does OCSP and CRLs. -Martin
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains =JeffH
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Stephen Farrell
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Marc Lampo
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Paul Wouters
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Olafur Gudmundsson
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains John Gilmore
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Jim Schaad
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley