Re: [dnsext] Report from chairs
Federico Lucifredi <lucifred@post.harvard.edu> Fri, 30 July 2010 18:40 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 408BD3A6ADB; Fri, 30 Jul 2010 11:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.756
X-Spam-Level: *
X-Spam-Status: No, score=1.756 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aor+GnVcG5K8; Fri, 30 Jul 2010 11:40:32 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 48B653A67DA; Fri, 30 Jul 2010 11:40:31 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OeuQh-000NGV-Mg for namedroppers-data0@psg.com; Fri, 30 Jul 2010 18:35:35 +0000
Received: from [69.17.117.50] (helo=mail6.sea5.speakeasy.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <lucifred@post.harvard.edu>) id 1OeuQf-000NGG-FL for namedroppers@ops.ietf.org; Fri, 30 Jul 2010 18:35:33 +0000
Received: (qmail 25261 invoked from network); 30 Jul 2010 18:35:30 -0000
Received: from unknown (HELO [164.99.130.58]) (federico@[130.57.22.201]) (envelope-sender <lucifred@post.harvard.edu>) by mail6.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <hallam@gmail.com>; 30 Jul 2010 18:35:30 -0000
Message-ID: <4C531B70.8060505@post.harvard.edu>
Date: Fri, 30 Jul 2010 14:35:28 -0400
From: Federico Lucifredi <lucifred@post.harvard.edu>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
CC: Francis Dupont <Francis.Dupont@fdupont.fr>, Andrew Sullivan <ajs@shinkuro.com>, namedroppers@ops.ietf.org
Subject: Re: [dnsext] Report from chairs
References: <20100725213920.GF8017@shinkuro.com> <201007260710.o6Q7AjoB025253@givry.fdupont.fr> <AANLkTimVBmC=mMCzr1SO7k=9qfTXkdVWMd3Lrzcw8T+C@mail.gmail.com>
In-Reply-To: <AANLkTimVBmC=mMCzr1SO7k=9qfTXkdVWMd3Lrzcw8T+C@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
I disagree. The shelving of TSIG/MD5 makes sense on its own (albeit just on stack certification grounds - we understand that MD5 is not compromised in this use). There are no transitions: providers who care about ("no MD5" certifications will just be able to drop the support for this algorithm and claim both compliance with certification and with RFC standard. That is a simple, self-contained issue. DNScurve, which I am not a detractor to, will be mired in the usual SEC feuding for a time, regardless of outcome. Whichever side you may take on it, you know that is inevitably going to be the case. So, if a consensus can be reached on closing the smaller TSIG/MD5 issue per draft-ietf-dnsext-tsig-md5, I would support that. And if the original author is too busy to pursue it, I am willing to be the "process monkey" who gets it done. Could the chairs indicate what would be the next step for this draft. Best -Federico Phillip Hallam-Baker wrote: > My feeling is that we should shelve this and instead work on a key > exchange to compliment TSIG and then deprecate HMAC-MD5 for use in > that context. > > The reason for this is that I think DNS-CURVE meets a real need, even > if the approach is not really sensitive to existing DNS code. > Suggesting a move to ECC is a good idea, suggesting transport layer > security is a good idea. Suggesting both in the same proposal is not. > > For example, most enterprises use split DNS. They do not want their > internal DNS to be externally visible. But if (like me) the only > corporate facility you really need most of the time is email, you can > get perfectly adequate support by using SMTP and IMAP/POP over SSL. > Using IPSEC just to secure the DNS part is really quite painful. This > approach is much cleaner. > > > So given that we can expect to upgrade the whole TSIG area in an > important way, and given that there is no immediate security risk with > MD5, I think it makes sense to have one transition rather than two. > > > On Mon, Jul 26, 2010 at 3:10 AM, Francis Dupont > <Francis.Dupont@fdupont.fr> wrote: >> In your previous mail you wrote: >> >> 4. EXPIRED DRAFTS >> >> - draft-ietf-dnsext-tsig-md5-deprecated >> >> Is anyone still interested in this draft? We have no movement on it. >> >> => there is a clear lack of support for this draft. I propose to give >> the question to the security area so they should say if it is fine to >> keep MD5 mandatory in an IETF protocol. >> >> Two comments: >> - MD5 is used in a way (HMAC) it is not proved to be weak >> >> - the issue is MD5 it is forbidden for most (i.e., all I know of :-) >> certified cryptos so it is not possible to run a both certified (for >> the crypto) and conformant (to standards) TSIG tool. >> Now it seems to be only a formal concern... >> >> Thanks >> >> Francis.Dupont@fdupont.fr >> >> > > > -- _________________________________________ -- "'Problem' is a bleak word for challenge" - Richard Fish (Federico L. Lucifredi) - lucifred@fas.harvard.edu
- [dnsext] Report from chairs Andrew Sullivan
- Re: [dnsext] Report from chairs Francis Dupont
- Re: [dnsext] Report from chairs Federico Lucifredi
- Re: [dnsext] Report from chairs Phillip Hallam-Baker
- Re: [dnsext] Report from chairs Francis Dupont
- Re: [dnsext] Report from chairs Federico Lucifredi
- Re: [dnsext] Report from chairs Joe Abley
- Re: [dnsext] Report from chairs Jeffrey A. Williams
- Re: [dnsext] Report from chairs Federico Lucifredi