IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Eric Rescorla <ekr@rtfm.com> Fri, 04 May 2012 19:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B54F21F8484 for <dane@ietfa.amsl.com>; Fri, 4 May 2012 12:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5CumCl1rVmb for <dane@ietfa.amsl.com>; Fri, 4 May 2012 12:06:00 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id D116921F847F for <dane@ietf.org>; Fri, 4 May 2012 12:05:59 -0700 (PDT)
Received: by vcbfo1 with SMTP id fo1so2712155vcb.31 for <dane@ietf.org>; Fri, 04 May 2012 12:05:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=JLSEC3q5U6rPMQUm9yUnxatlCcmQqF/2IyRBZrjCmj8=; b=DcsziQ/W3ZdYAAqcEMgnXbY7peLOhNyU4wj9Jb086K2qGqtbwRUNZlso9t1lyVjNb+ KmaVqBz6aNULdzdTGZktYV7LuxQGKPT08FqXTqXbbX0ibFT6fVmt/TRtm97XQFdTjdXj CzPQIRj76CZqnC33wA6/EiKEZTLHerEDBlAaQd2rYUl+FZTMZaWJYy+qOn3EJW+qMQW0 rIZ61Wx0mMuoRcfF3rBi7J8A5JH53sdqTUnToQraixY9CsPztbXOncnc7/CiF5wArbez JNTr8wpf72I1+DtTge1xNJZ2vkV2EJR41MBAaQK14sSrPz2DyLP1R1kLJ2iz2a65y/om HlDg==
Received: by 10.220.38.200 with SMTP id c8mr4625287vce.28.1336158359379; Fri, 04 May 2012 12:05:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.19.233 with HTTP; Fri, 4 May 2012 12:05:19 -0700 (PDT)
X-Originating-IP: [63.245.220.224]
In-Reply-To: <201205041902.q44J2B3F018135@fs4113.wdf.sap.corp>
References: <CABcZeBP2iRLa76rSXu4A0OwFxP=tqK1ShZ6wv=6wnaEC6uad+w@mail.gmail.com> <201205041902.q44J2B3F018135@fs4113.wdf.sap.corp>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 4 May 2012 12:05:19 -0700
Message-ID: <CABcZeBMBNguyuhJ=ju=tEe23nbVK3T3RW1YUogBinyVuWAX9jg@mail.gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmcfZqVTifr7Qczuqn+bpje7lMwBWAoezU3KezF5X0VQWNkaOeNQdcRqlBRwDg2u4esfN5u
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 19:06:00 -0000

On Fri, May 4, 2012 at 12:02 PM, Martin Rex <mrex@sap.com> wrote:
> Eric Rescorla wrote:
>>
>> Before we discuss how to proceed, I think it would be useful to get
>> agreement on the security analysis.
>
> Analysis (about what the attacker could do) is correct, but ...
>
>>
>> I claim that for Usages 0 and 1, treating TLSA non-response as if no
>> TLSA records exist means that DANE adds minmal/no security value for
>> those usages. If people disagree with that,
>
> I do not fully agree to the conclusion.
> With the exact same logic, when comparing DV-certs to EV-certs, you
> could say that EV-certs add minimal/no security value.

It's precisely for this reason that EV certs add minimal security value.


> Web Browsers provide visual cues to differentiate DV/EV-certs (since
> very few users look at the certificate details.

There's very little evidence that users treat these indicia differently.
Adding yet another indicator seems to make the cognitive overload
problem even worse.

-Ekr

v2.8.7 | Report a Bug | By Email