IETF Logo Mail Archive

Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq

Vittorio Bertola <vittorio.bertola@open-xchange.com> Tue, 16 February 2021 15:57 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA0113A0906 for <dns-privacy@ietfa.amsl.com>; Tue, 16 Feb 2021 07:57:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rzHEmE_PM73W for <dns-privacy@ietfa.amsl.com>; Tue, 16 Feb 2021 07:57:42 -0800 (PST)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 783B03A0902 for <dprive@ietf.org>; Tue, 16 Feb 2021 07:57:40 -0800 (PST)
Received: from imap.open-xchange.com (imap.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPSA id C031F6A28A; Tue, 16 Feb 2021 16:57:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1613491058; bh=J6otPaKUIvqKcW+/C1A5RKRh9jarmz6KnQ0a3fUJgiM=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=focEEj79eu/14DTrjCsCEcg57bjXuon5P6NgeYL/Du6G8j4mLvfflF3Gn94wi85Xc CFmCmYZYW09S8rGgASaVwDu2rJf0rT4ryjIv7Mf9oaAvRVCEF0K91EMlZ3U7YbpmEj abP++jCpT9lyKL1Bn3cUHDGTL6CX9H0i8H9J501UQP5+a1K0wUTphvb6gOk1VUb4QZ BkAp6l0UkThBUtvJ1mNcuIOVNWDJIOYWJ+vf/nd81oBmnM90HG2v/IWwZnTcRgUwKo cczEpjXkWwxe2O558dZdxAaDjHdz1RXw6bo7RxweDIa7ri54rwWuOuPiD3GbaKUJXk EKdeAsa58Feug==
Received: from appsuite-gw1.open-xchange.com ([10.20.28.81]) by imap.open-xchange.com with ESMTPSA id 2DrkLnLrK2AQdQAA3c6Kzw (envelope-from <vittorio.bertola@open-xchange.com>); Tue, 16 Feb 2021 16:57:38 +0100
Date: Tue, 16 Feb 2021 16:57:38 +0100
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "dprive@ietf.org" <dprive@ietf.org>
Message-ID: <1924199049.18518.1613491058715@appsuite-gw1.open-xchange.com>
In-Reply-To: <ff1e6d9-6e66-dadf-2847-3e071b34618@nohats.ca>
References: <230F580F-BA87-4921-B45B-2909ACE385B1@icann.org> <CABcZeBPcBT0UY-ghaMm_nN+qZ+B0ozmCfK30XX-R05z+PLtqmQ@mail.gmail.com> <137b74ff-887f-056a-74e3-7a80358b5156@cs.tcd.ie> <CABcZeBMyULUznkCVzxb6ufCx1XaT1zKx0jLLwxXhL7hRwMkv+A@mail.gmail.com> <fd132f9d-630e-112d-d777-0e6a7a767e84@cs.tcd.ie> <ff1e6d9-6e66-dadf-2847-3e071b34618@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.5-Rev5
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/9ygTSFHjoeby9hjTOsdQFQ06bew>
Subject: Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 15:57:44 -0000

> Il 16/02/2021 00:23 Paul Wouters <paul@nohats.ca> ha scritto:
> 
> Now you can choose:
> 
> 1) Use DNS(SEC) for validation
> 2) Use WebPKI[*] for validation
> 3) TOFU
> 4) Take at face value
> [*] well, it's really trusting only LetsEncrypt CA[**]
> [**] Which depends on insecure DNS records for authentication, so
>       in reality you need DNSSEC or WebPKI is just reduced to TOFU

Thanks for noting this. In general, I think that any solution for the authentication of name servers should not depend on the WebPKI. The DNS is a foundational block of the Internet - if it stops working, all services stop working (except those based on the direct use of IP addresses), not just the Web. The DNS should have as less dependencies as possible, and certainly not depend on the policy and security mechanisms of specific application-layer protocols.

Also, requiring you to acquire a certificate from a Web CA would be quite a change from the traditional model in which you could just run your own zone without having to ask anyone for permission.  It would introduce a gatekeeping role and attribute it to a relatively small set of private parties (again, centralization).  The fact that certificates are currently available for free is not a solution, first because there is no guarantee that they always will, and second because this does not alleviate the gatekeeping concerns.

-- 
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy

v2.23.0 | Report a Bug | By Email