Re: [dispatch] Question about draft-johansson-dispatch-dane-sip-00.txt
"Olle E. Johansson" <oej@edvina.net> Thu, 09 January 2014 07:39 UTC
Return-Path: <oej@edvina.net>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34C331AE0E3 for <dispatch@ietfa.amsl.com>; Wed, 8 Jan 2014 23:39:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swd3VSxAJ5M8 for <dispatch@ietfa.amsl.com>; Wed, 8 Jan 2014 23:39:15 -0800 (PST)
Received: from smtp7.webway.se (smtp7.webway.se [IPv6:2a02:920:212e::205]) by ietfa.amsl.com (Postfix) with ESMTP id 775CF1AE09B for <dispatch@ietf.org>; Wed, 8 Jan 2014 23:39:14 -0800 (PST)
Received: from [192.168.40.13] (h87-96-134-129.dynamic.se.alltele.net [87.96.134.129]) by smtp7.webway.se (Postfix) with ESMTPA id 2BC2B93C2A1; Thu, 9 Jan 2014 07:39:04 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <B3D81A46-D717-4E41-A35B-AB2DCF93A2C9@cisco.com>
Date: Thu, 09 Jan 2014 08:39:03 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <0A864EF2-E6F3-4B62-A986-8FCEA4647AC0@edvina.net>
References: <B3D81A46-D717-4E41-A35B-AB2DCF93A2C9@cisco.com>
To: "Cullen Jennings (fluffy)" <fluffy@cisco.com>
X-Mailer: Apple Mail (2.1827)
Cc: "dispatch@ietf.org list" <dispatch@ietf.org>
Subject: Re: [dispatch] Question about draft-johansson-dispatch-dane-sip-00.txt
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 07:39:18 -0000
On 08 Jan 2014, at 20:02, Cullen Jennings (fluffy) <fluffy@cisco.com> wrote: > > I'm a bit confused about if this differs from the procedures specified in http://tools.ietf.org/html/draft-ietf-dane-srv > > 1) I was assuming that all we need to do for DANE in SIP was more or less make a draft which is an extension to 3261 (and not a modification of 3261) that said do what draft-ietf-dane-srv says. So when I read the normative parts of text of draft-johansson-dispatch-dane-sip I have a hard time deciding if is saying to do something different than draft-ietf-dane-srv or not. Can you help make this clear? I need to go back and compare and maybe remove parts that are overlapping. On the other hand I want to have a document that is very clear for SIP developers. I guess the only difference is the way we start with a SIP uri domain part to look up the SRV. Remember that I'm still a newbie in this document-writing space :-) The "updates 5922" part will be removed in a coming edition of this draft. It's a misunderstanding on my behalf. > > I would prefer to see the draft crisply separated into what the normative part of the draft is and what is gnarly tutorial but actually specified in other specifications. ok. > > > 2) Lets say we have a domain example.com that is happily doing SIP with TLS with a normal cert. But an attacker managed to insert a DNS SRV record that points example.com to a host at attacker.com and get all the DNS signed for that. The host at attacker.com does have the private key for the certificate at example.com. > > In this case, my understanding of your draft is the attack successes and the DANE enabled client would successfully connect to attacker.com. Do I have this right and does this match up with assumptions on how DANE will be be deployed and used ? I'm not arguing this one way or other yet, I just want the draft to be very clear and help people understand. Well if attackers can insert records and get them signed, then the hole assumption of DANE being a secure platform falls on its head. It's like saying "If an attacker can get a certificate for fluffy.com signed by a well-known CA then people will trust the attackers web site to be owned by fluffy." Yes. And btw, that has happend... That's one of the target scenarios that DANE is trying to stop by being able to specify the CA used for a service in a domain in the signed zone. I guess we will have to look at DNS updates and how they're being signed at some point. But that's out of scope for this group. > > > BTW - thanks for working on this. We've needed a DANE SIP draft for a long time. I would guess that this will all end up in sip core but glad to discuss it here in meantime. Your welcome. /O > > > Cullen >
- [dispatch] Question about draft-johansson-dispatc… Cullen Jennings (fluffy)
- Re: [dispatch] Question about draft-johansson-dis… Olle E. Johansson