Re: [Danish] [Iot-directorate] SCVP
Wes Hardaker <wjhns1@hardakers.net> Tue, 16 February 2021 20:14 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F05363A1069 for <danish@ietfa.amsl.com>; Tue, 16 Feb 2021 12:14:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xB436yzReHWo for <danish@ietfa.amsl.com>; Tue, 16 Feb 2021 12:14:17 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6471D3A10C1 for <danish@ietf.org>; Tue, 16 Feb 2021 12:14:15 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id A6FBF279BE; Tue, 16 Feb 2021 12:14:14 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: danish@ietf.org
References: <49163B0D-3952-4DE8-8915-6DC6D50F851C@vigilsec.com> <1182.1613430019@localhost> <yblim6si03u.fsf@w7.hardakers.net> <4DBD656B-ED85-47DB-9493-6B3CC8AC50A1@dukhovni.org>
Date: Tue, 16 Feb 2021 12:14:14 -0800
In-Reply-To: <4DBD656B-ED85-47DB-9493-6B3CC8AC50A1@dukhovni.org> (Viktor Dukhovni's message of "Tue, 16 Feb 2021 18:06:26 -0200")
Message-ID: <yblzh03hisp.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/dGW8vozZW1LoA831OkXBTX247tE>
Subject: Re: [Danish] [Iot-directorate] SCVP
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 20:14:19 -0000
So enumerating the potential things to attempt to measure: 1) Full PKIX -- ignore DNSSEC and DANE 2) DANE with full DNSSEC validation -- DANE-EE and validation from the root (worst case) 3) DANE with DOH/DoT/etc validation done by the upstream resolver that you trust to do DNSSEC validation (because you're throwing trust at this point). Also note that in this situation you may or may not be using long lived connections with the DoH/DoT provider (which will also require PKIX). (Also note that there is likely varying levels of trust for them to properly set the AA bit) -- Wes Hardaker USC/ISI
- Re: [Danish] [Iot-directorate] SCVP Michael Richardson
- Re: [Danish] [Iot-directorate] SCVP Wes Hardaker
- Re: [Danish] [Iot-directorate] SCVP Viktor Dukhovni
- Re: [Danish] [Iot-directorate] SCVP Wes Hardaker