Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
Wes Hardaker <wjhns1@hardakers.net> Wed, 03 August 2016 17:23 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BBA912D791 for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 10:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level:
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ryl9CpvNYXp for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 10:22:58 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.236.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39B6B12D0C7 for <dnsop@ietf.org>; Wed, 3 Aug 2016 10:22:58 -0700 (PDT)
Received: from localhost (50-1-20-198.dsl.static.fusionbroadband.com [50.1.20.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id C728F2998B; Wed, 3 Aug 2016 10:22:56 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Shane Kerr <shane@time-travellers.org>
References: <0lfuqoqhd7.fsf@wjh.hardakers.net> <20160803135819.3421ce3f@pallas.home.time-travellers.org>
Date: Wed, 03 Aug 2016 10:22:55 -0700
In-Reply-To: <20160803135819.3421ce3f@pallas.home.time-travellers.org> (Shane Kerr's message of "Wed, 3 Aug 2016 13:58:19 +0200")
Message-ID: <0lziothimo.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-Ji21J4sbB-gqCq6Sikz0H9YciQ>
Cc: dnsop@ietf.org, Wes Hardaker <wjhns1@hardakers.net>
Subject: Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 17:23:00 -0000
Shane Kerr <shane@time-travellers.org> writes: > Reading this document it basically seems like the hold-down timer is > actually a potential for mischief, rather than a good thing. No, it's a useful thing (per the discussion in 5011 itself as to its purpose). The problem is that the length hold-down timer (used at the 5011 validator) does not equal the length of time the publisher must way before switching keys. 5011 only provides guidance for the validator, but leaves out the information to be used by the publisher. Thus, 5011 is really half the document it needs to be and the missing half can cause security implications if you can't self-derive the values. And judging buy our survey of experts, I don't think the average Joe will pick a safe value (hence the need for the document). -- Wes Hardaker Parsons
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Shane Kerr
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Warren Kumari
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Michael StJohns
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Bob Harold
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wessels, Duane
- [DNSOP] new dnsop related draft: RFC5011 security… Wes Hardaker