Re: [Danish] Proposed WG Charter
Paul Wouters <paul@nohats.ca> Tue, 15 June 2021 19:45 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BD793A3B95 for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 12:45:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Url3zd_ZK0WO for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 12:45:50 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F6593A3B97 for <danish@ietf.org>; Tue, 15 Jun 2021 12:45:50 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4G4JhX5tPhzD0h; Tue, 15 Jun 2021 21:45:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1623786348; bh=qT8HRZusWt33f/cETLI9ODDkIKQ8sIHJt+2M2dCYC8s=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=QiLVuNwNtOYk1ghqyp59ECaWyiFX7ien7o/JovcwW8TfB2TN8Cx5Hg+xweLGY+Osy HTIF2Z8QtnARMx1suT+zzILi1mZ7XpdfYQpx7RR3RKKpAo0xIc7dNiBVZODRlLGHf/ B5fk3gdi1PUwXDkDGjdhBKBuWgaweHNiP2VdvJ2w=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id cHOE7S2h__q1; Tue, 15 Jun 2021 21:45:47 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 15 Jun 2021 21:45:47 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id EAB358356B; Tue, 15 Jun 2021 15:45:45 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id E40608356A; Tue, 15 Jun 2021 15:45:45 -0400 (EDT)
Date: Tue, 15 Jun 2021 15:45:45 -0400
From: Paul Wouters <paul@nohats.ca>
To: Ash Wilson <ash.wilson=40valimail.com@dmarc.ietf.org>
cc: danish@ietf.org
In-Reply-To: <CAEfM=vQ=U_BuESMPkBzhDC-KJ7usrc29G2OEgA3WTP16Jzd8zA@mail.gmail.com>
Message-ID: <36214e75-e77d-adba-4f50-e1fafd874d48@nohats.ca>
References: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com> <YMZwG/l/pne2tHJF@straasha.imrryr.org> <CAEfM=vT5PErjwY73gEEaFb7v84tdVSWb3p4efz_xL1gApFYvRQ@mail.gmail.com> <YMgCbq/PdTLfzTIu@straasha.imrryr.org> <CAEfM=vQ=U_BuESMPkBzhDC-KJ7usrc29G2OEgA3WTP16Jzd8zA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/2JlB2irHIfEpR2vQM7ruxPvA-Do>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 19:45:55 -0000
On Tue, 15 Jun 2021, Ash Wilson wrote: > It is easier to justify the adoption of DNSSEC as a part of a broader initiative that adds some business value beyond improving the security of an > existing use case. > > Within an organization which has not already adopted DNSSEC, it is easier to justify initial exploration into a design pattern if DNSSEC is not in the > initial set of requirements. This makes the assumption that exploration happens with oversight of enterprise technical leadership. > > It is easier to justify the adoption of DNSSEC to business leadership if it increases the value of an existing initiative, which is already showing > success. The risk/return balance then has some demonstrated benefit, which makes a stronger argument against perceived risk. These arguments all applied to PKIX as well. Getting SSL on your server was "too hard" and "too cumbersum" and traction was really low to improve that, despite the strong case for it giving additional security. Then ACME and LetsEncrypt came and automation solved this problem. If DNSSEC is too difficult to do inhouse now, let your DNS hoster do it. Route 53 supports it via a checkbox. Cloudflare supports it via a checkbox. One click, done. Keep using the same TLS REST API to submit DNS updates. It just gets signed. Maybe some opensource tools need improving, eg lets get octodns to support DNSSEC fully. Let's improve knot/bind's methods for "editing" a zone so it works with DNSSEC. > If DNSSEC is in the initial set of requirements for DNS-based IoT device identity, the desire to experiment with DNS-based device identity faces an > increased likelihood of rejection when compared to an adoption path where DNSSEC is an eventual, rather than an initial, requirement. I would really prefer the IETF does not engage with putting security aspects in DNS records that are spoofable, and depend on a pluggable non-DNS security stack for validation of these insecure records. > Offering a transitional mode will make DNSSEC easier to justify The transition mode will never transition further towards DNSSEC. And as pointed out in this thread, that would be harmfull to DNSSEC deployment, not helping transition to it. > but I think that we can both agree that some positive effect on the overall adoption of DNSSEC will result from having a transitional mode. I don't think so. Paul
- [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Paul Hoffman
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Shumon Huque
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] [EXT] Re: Proposed WG Charter Jacques Latour
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Roman Danyliw
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Jacques Latour