Re: [dane] Call for Adoption: draft-hoffman-dane-smime.

Richard Barnes <rbarnes@bbn.com> Mon, 24 September 2012 14:52 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 989EF21F87AD for <dane@ietfa.amsl.com>; Mon, 24 Sep 2012 07:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.729
X-Spam-Level:
X-Spam-Status: No, score=-106.729 tagged_above=-999 required=5 tests=[AWL=-0.132, BAYES_00=-2.599, HS_INDEX_PARAM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hDQdUkLRVd2e for <dane@ietfa.amsl.com>; Mon, 24 Sep 2012 07:52:06 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id C366E21F86A8 for <dane@ietf.org>; Mon, 24 Sep 2012 07:52:06 -0700 (PDT)
Received: from [128.89.253.48] (port=57368) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1TGA10-0000fj-62; Mon, 24 Sep 2012 10:52:06 -0400
Date: Mon, 24 Sep 2012 16:52:05 +0200
From: Richard Barnes <rbarnes@bbn.com>
To: Miek Gieben <miek@miek.nl>
Message-ID: <5599DE4BDD364198BB815C08A43B28AD@bbn.com>
In-Reply-To: <20120924144359.GC9495@miek.nl>
References: <BCDB44B9-6AB0-4230-B1EF-FDDB37C77F38@kumari.net> <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <C93F9961257B4ADFA226AD8C89290362@bbn.com> <20120924134925.GA9495@miek.nl> <F98183AFDDFD449982489E5D3AB81534@bbn.com> <20120924142732.GB9495@miek.nl> <8A01227AE22A4EA9BB387AF46A50A74E@bbn.com> <20120924144359.GC9495@miek.nl>
X-Mailer: sparrow 1.6.3 (build 1172)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="50607395_51d9c564_7b3"
Cc: dane@ietf.org
Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 14:52:07 -0000

FTPS is FTP over TLS :)  

Yeah, it does STARTTLS instead of jumping straight in, but it's still TLS. 

Even supposing there is an example, I don't really see the conflict.  The existence of a TLSA record under _port._protocol.example.com doesn't necessarily make any statements about what protocol is running on the indicated port.  RFC 6698 says what you do *if* you use TLS, but it doesn't rule out using it for some other protocol.  So if your favorite security protocol uses X.509 certificates to authenticate domain names, you can still use it.  

There is a risk of swapping out protocols, I guess, if an attacker can, say, run a TLS service with a matching cert on the same port.  But that doesn't jump out at me as a terribly likely or terribly damaging scenario. 

-- 
Richard Barnes
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)


On Monday, September 24, 2012 at 4:43 PM, Miek Gieben wrote:

> [ Quoting <rbarnes@bbn.com (mailto:rbarnes@bbn.com)> in "Re: [dane] Call for Adoption: draft..." ]
> > There's a saying that goes, "We'll cross that bridge when we come to it." :)
> > 
> > Do you have an example of such a protocol?
> 
> uhm... ftps?
> 
> 
> Regards,
> 
> -- 
> Miek Gieben http://miek.nl
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org (mailto:dane@ietf.org)
> https://www.ietf.org/mailman/listinfo/dane
> 
>