Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 10 December 2013 07:34 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 529A81ADEA1 for <dane@ietfa.amsl.com>; Mon, 9 Dec 2013 23:34:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxp9PE7RNX1T for <dane@ietfa.amsl.com>; Mon, 9 Dec 2013 23:34:08 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 91AB21ADDAF for <dane@ietf.org>; Mon, 9 Dec 2013 23:34:08 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 22CF52AB174; Tue, 10 Dec 2013 07:34:03 +0000 (UTC)
Date: Tue, 10 Dec 2013 07:34:03 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131210073402.GA761@mournblade.imrryr.org>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> <20131205175314.GH761@mournblade.imrryr.org> <E78C07CA-B742-43B2-8848-33DEB22A8014@kumari.net> <201312080234.rB82YeoW029387@new.toad.com> <m3y53tg0c3.fsf@carbon.jhcloos.org> <20131209231919.GY761@mournblade.imrryr.org> <4FAF6906-D258-4AB3-B76C-888C35566097@kirei.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4FAF6906-D258-4AB3-B76C-888C35566097@kirei.se>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2013 07:34:10 -0000
On Tue, Dec 10, 2013 at 08:12:42AM +0100, Jakob Schlyter wrote: > > [ Usages 0/1 are a blunder, we're continuing to pay the cost of > > this blunder. ] > > As the author of 6698, I don't agree and believe 0/1 are still > useful as an additional layer of security for traditional PKIX. You left out the word "theatre" after "security". :-) I guess time will tell whether the definition of 0/1 in 6698 is in fact pointless complexity. The critical thing now is to drive DNSSEC adoption, so that DANE becomes viable (or perhaps adoption of both in parallel, if DANE is the carrot for DNSSEC adoption). In the mean-time, I have a working, and plausibly correct, be it not yet extensively tested, general purpose DANE interface for OpenSSL. It fully supports all the DANE usages (including the theatrical ones). It even supports out-of-band "2 x 0" certificates and keys and certificates even when these are not in the peer's TLS chain. Let's hope that support for DANE verification with OpenSSL will encourage broader application support for DANE. With a bit of luck, someone from the OpenSSL team will volunteer to work with me to integrate the code into the development tree. This took just over 1200 lines of commented code. It should work with OpenSSL 0.9.8 or newer. A very recent insight made it possible to remove the need for signing operations and generation of internal private keys in the verifier, so it is now about as simple as it can get. The usage 2 implementation is radically different from all the other cases, and accounts for the bulk of the code. This is why I am not comfortable with language that suggests that the difference between 0 and 2 is just like that between 1 and 3. This is very far from the truth. -- Viktor.
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Bry8 Star
- [dane] On the PKIX-TA / PKIX-CA question… [ One w… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Dickson, Brian
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Mark Andrews
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] DANE, constrains and CT and similar.... Warren Kumari
- [dane] OpenSSL DANE support... Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Wes Hardaker
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Wes Hardaker