Re: [DNSOP] [dns-privacy] DNS stamps
Dan Wing <danwing@gmail.com> Fri, 10 January 2020 17:45 UTC
Return-Path: <danwing@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 823D7120A5B; Fri, 10 Jan 2020 09:45:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGCgVKeqglZN; Fri, 10 Jan 2020 09:45:56 -0800 (PST)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3974120A52; Fri, 10 Jan 2020 09:45:55 -0800 (PST)
Received: by mail-pl1-x636.google.com with SMTP id g6so1115171plp.6; Fri, 10 Jan 2020 09:45:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=t/shi7Us9l/bJLQPZsILwcNVaSXWXFNc9i6rJ3fPflQ=; b=d5yJZm+6sMCytlwOgcVCpIjBBlCjFi1I36cgvfMb7BMb88+0uY8zndl7nvMbJpQmmU r2gUJftlJq68SHOXlb3LLh5fK7S7uF2rXvOiBHmlXZvnAWRNJkD1B10pGEa7aOkTB8Mi QS36DP1wI8ZQRumhHZL9Dyb2p7BNLiTeGvg/hBXMY8hAsBDtgC1DUF96m9nS5vy4mq38 puSLZVhRuBaY/uaP/byuyDnVlmvylH2sAX9z/SQp6iCzhUbV22e/VBjI6RurtXnqrDfV BfHPXY+yZ8Lw31vFBU3oBzpUybeyWx+aRnbf3EdW50pgH8EASTWBAs0J2YVrF9uZKzuL cP1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=t/shi7Us9l/bJLQPZsILwcNVaSXWXFNc9i6rJ3fPflQ=; b=OK6yAbpo1unyMzuNp9S8/su3Tyxj8da0wGumu1MO3bGbzOnwTzGDWXzZXTHng6IrY/ +t/ypk8nDjJpHXKCsbTZEDqKFnBNX58bLcOHaAhclaiAzxZ3we2GDZReFl0CyZPEGiVq eAaKnB37dnPN/uXOh1fL9SgqMUAIqXATz4jaxkpmip3Q+RWaprAMXNGv6Ly77g6xeYr1 /+dIF3sZ4OSQ8clpJN6/+XlGtmPoX2J5pkj2li1NUjChd9VxKsHPFNoZdFnrj8ftin5J k5zUWK8Z6uKzGfYtcqIljF8t6TRw+80jOT2jSdqzg81T0g1G6qQ1H+nALxoxvluxa8V7 cdMg==
X-Gm-Message-State: APjAAAXh8K1G5CkyjV/L4k7hyHhPGLQKtkma71gEhudFhuZBj2Qk2qqR vai4oIjdfB9JmZbU8urcaBM=
X-Google-Smtp-Source: APXvYqyoS/5cSaH6vb1FnBRg0uclHaBV1lNOOBXxeeuTBtdGdl7NxMRm8tPPg/ztmHx7W8YsWr1uAA==
X-Received: by 2002:a17:90b:11c4:: with SMTP id gv4mr6264425pjb.126.1578678355454; Fri, 10 Jan 2020 09:45:55 -0800 (PST)
Received: from [192.168.1.53] (47-208-190-34.trckcmtc01.res.dyn.suddenlink.net. [47.208.190.34]) by smtp.gmail.com with ESMTPSA id b42sm3497518pjc.27.2020.01.10.09.45.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Jan 2020 09:45:54 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Dan Wing <danwing@gmail.com>
In-Reply-To: <addcd575-994c-250e-28c9-24b26ebf7244@nic.cz>
Date: Fri, 10 Jan 2020 09:45:53 -0800
Cc: Ted Lemon <mellon@fugue.com>, dns-privacy@ietf.org, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B2CA0A24-7F5F-4B3C-A59B-D5C3DAA95ADC@gmail.com>
References: <20200109143554.GA24757@nic.fr> <B0E87CB4-7CD4-4A12-A58C-1A3BEF104540@fugue.com> <c5e55d18-26b5-6103-7f86-031d2699ff42@nic.cz> <DD5E13AA-8CB1-4698-8892-FF9C470FCDC0@fugue.com> <addcd575-994c-250e-28c9-24b26ebf7244@nic.cz>
To: Vladimír Čunát <vladimir.cunat+ietf@NIC.CZ>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7RntSovg2CX2HQRv5VcZjKIULQA>
Subject: Re: [DNSOP] [dns-privacy] DNS stamps
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 17:45:57 -0000
On Jan 9, 2020, at 10:22 AM, Vladimír Čunát <vladimir.cunat+ietf@NIC.CZ> wrote: > I see a bigger problem that some of desired assertions are in principle unverifiable, e.g. "no logging". Of course, we could (optionally) extend the string by a signature, but I suspect that'd increase the length a lot without sufficient gain in exchange. The signature could be retrieved and validated separately from the stamp itself. For example, after getting the DNS stamp, retrieve a well-known DNS object (TXT, new RR, whatever) which is signed by the external entity. That would keep the signature short and keep the problem away from the signature. With that, DoH could obtain the signature from the TLS certificate itself, if we wanted, rather than by retrieving a (DNS) object -d
- [DNSOP] DNS stamps Stephane Bortzmeyer
- Re: [DNSOP] DNS stamps Ted Lemon
- Re: [DNSOP] DNS stamps Vladimír Čunát
- Re: [DNSOP] DNS stamps Ted Lemon
- Re: [DNSOP] DNS stamps Vladimír Čunát
- Re: [DNSOP] [dns-privacy] DNS stamps Dan Wing
- Re: [DNSOP] [dns-privacy] DNS stamps Ted Lemon