[dane] Extending TLSA RFC to operate with TLS's new raw public keys

John Gilmore <gnu@toad.com> Thu, 15 January 2015 22:24 UTC

Return-Path: <gnu@toad.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id E7EF11A904F for <dane@ietfa.amsl.com>; Thu, 15 Jan 2015 14:24:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.239
X-Spam-Level: **
X-Spam-Status: No, score=2.239 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_BRBL_LASTEXT=1.449, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id EELyCjd_QKo3 for <dane@ietfa.amsl.com>; Thu, 15 Jan 2015 14:24:54 -0800 (PST)
Received: from new.toad.com (new.toad.com []) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (112/168 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24C251A906B for <dane@ietf.org>; Thu, 15 Jan 2015 14:24:54 -0800 (PST)
Received: from new.toad.com (localhost.localdomain []) by new.toad.com (8.12.9/8.12.9) with ESMTP id t0FMOoCl025516; Thu, 15 Jan 2015 14:24:50 -0800
Message-Id: <201501152224.t0FMOoCl025516@new.toad.com>
To: dane@ietf.org, gnu@toad.com
Date: Thu, 15 Jan 2015 14:24:50 -0800
From: John Gilmore <gnu@toad.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/uZFmffmzM0pUokmXB4UZvfEwsiI>
Subject: [dane] Extending TLSA RFC to operate with TLS's new raw public keys
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 22:24:56 -0000

It has been seven months since the DANE WG "adopted" my very short
draft that repealed the CA-motivated anti-interoperability
prohibitions in RFC 6698 and simply specified how DANE authenticates
or publishes raw public keys.  Therefore, the draft has expired.  In
the meantime, as far as I can tell, nothing has been done.

All the urgency to actually solve this problem evaporated as soon as I
allowed RFC 7250 to issue despite containing no text that addressed
this problem.  I was assured by my friend Olafur and my colleagues
Warren and Stephen, the people in authority over this working group
and this whole security area, that they would address the issue "ASAP"
if I would just follow their recommended procedures.  Yet it did not

I did it the way you-all recommended, and nothing got done.  So the
self-serving CA lobby won (delay is a win), and the NSA won (delay is
a win for them too), and the public lost.

Where do we go from here?