IETF Logo Mail Archive

Re: [DNSOP] new dnsop related draft: RFC5011 security considerations

Wes Hardaker <wjhns1@hardakers.net> Wed, 03 August 2016 17:23 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BBA912D791 for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 10:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level:
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ryl9CpvNYXp for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 10:22:58 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.236.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39B6B12D0C7 for <dnsop@ietf.org>; Wed, 3 Aug 2016 10:22:58 -0700 (PDT)
Received: from localhost (50-1-20-198.dsl.static.fusionbroadband.com [50.1.20.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id C728F2998B; Wed, 3 Aug 2016 10:22:56 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Shane Kerr <shane@time-travellers.org>
References: <0lfuqoqhd7.fsf@wjh.hardakers.net> <20160803135819.3421ce3f@pallas.home.time-travellers.org>
Date: Wed, 03 Aug 2016 10:22:55 -0700
In-Reply-To: <20160803135819.3421ce3f@pallas.home.time-travellers.org> (Shane Kerr's message of "Wed, 3 Aug 2016 13:58:19 +0200")
Message-ID: <0lziothimo.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-Ji21J4sbB-gqCq6Sikz0H9YciQ>
Cc: dnsop@ietf.org, Wes Hardaker <wjhns1@hardakers.net>
Subject: Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 17:23:00 -0000

Shane Kerr <shane@time-travellers.org> writes:

> Reading this document it basically seems like the hold-down timer is
> actually a potential for mischief, rather than a good thing.

No, it's a useful thing (per the discussion in 5011 itself as to its
purpose).  The problem is that the length hold-down timer (used at the
5011 validator) does not equal the length of time the publisher must way
before switching keys.  5011 only provides guidance for the validator,
but leaves out the information to be used by the publisher.  Thus, 5011
is really half the document it needs to be and the missing half can
cause security implications if you can't self-derive the values.  And
judging buy our survey of experts, I don't think the average Joe will
pick a safe value (hence the need for the document).
-- 
Wes Hardaker
Parsons

v2.23.0 | Report a Bug | By Email