Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00

Rob Sayre <sayrer@gmail.com> Wed, 17 July 2019 00:10 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E347C12063D for <dnsop@ietfa.amsl.com>; Tue, 16 Jul 2019 17:10:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWCHFiQ8J_8T for <dnsop@ietfa.amsl.com>; Tue, 16 Jul 2019 17:10:41 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB39C12062B for <dnsop@ietf.org>; Tue, 16 Jul 2019 17:10:41 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id j5so38741446ioj.8 for <dnsop@ietf.org>; Tue, 16 Jul 2019 17:10:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=81SVx44V8iwle/TcYqBKcvPp4sT144Kc0Etk7Bc2xBc=; b=R0gFh1Lj+6DEUojDvCLxFmdnh1qIUlPyq5aZWUxPdfda2YWWiEYcZ5mBlocKoynU8l 3N5HL2xy0M0W31BQBCw/VC+mc/QPxYDxsI9Di5ufk1h2twYkXSqmjGQu4P9QaLo3B/r4 MFt+zU+jSscDC2Rv1/gKlxrHqLNgWzs86zDiHWUOCK3ASNhoMtoae6f89vvy4Iv05vBc 5W9JMy3Ru3L2s2pV87NVtaRXHCxIQkuiKPRoCS8lDp8HVl1HkYsRSskEvySE/nCh1QCY 4Ux/Au5vv+BVcDnDZZkVeQzpm0PM87LWNuG93BxVXAlgl7B6kOkdGET+PnFfGcvnr8no J7sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=81SVx44V8iwle/TcYqBKcvPp4sT144Kc0Etk7Bc2xBc=; b=BCFFHwS3kH8W0o1G1NxF+JOU73cf3xs3kPvtRZixLrQ/YSGq1Z6mv/c7I+qo/LbGu9 n7nBLtjHttAkwDItNrFVKB+nxvJFZjPTG2dnOkftswnzoM8AyrAb6AXLNVs6y9+hTQjn mfqApDwWLAC80PLklaC//+qyIMsQTXDCqpfgc2fmZ1K3Kf1QBEetxVKGshouLxdugZMY r+UEX1BDle1DL2jEdJvE3ZuIIR3ZvD9aBCnmOuMUMXoekuSUKwGzUcu1baYV5vDM41Zu iI9WZGjUgmy7JAEWa7JHI9FaTg7HkA7juRSCOsVGQGodduzb++qut2o2RHkYYp2wGely mogQ==
X-Gm-Message-State: APjAAAV2XCdIpHGxZOwVUxAJ6swz8/MuLozBpvqeTiJIdI4z63p+nmiT pvsOq3PwHY9XoHQ+RhNIYADh8a9aWXNmsTVOaFM=
X-Google-Smtp-Source: APXvYqxz46TajDO6SzIfYkNVCGXxwn5I1W92rh+akDE0Tmd7h3EIouwSd/j9QZaLdcVg0j+osopihW+8EPv0BbnW3RE=
X-Received: by 2002:a5e:d618:: with SMTP id w24mr33760572iom.73.1563322240963; Tue, 16 Jul 2019 17:10:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SyVmgMpD6Cd=m2Z03nts-Bv9ZVgJkG8oaj_jzwYMUZuCg@mail.gmail.com> <3220557.rvQTihJl8x@linux-9daj> <CAChr6SyM3LSgAdu5+SJGq-n=+AZc7M44BVSru_EZgf9svBHo3w@mail.gmail.com> <8499859.s69PqOT0jb@linux-9daj> <CAChr6Syp4TR2HRy6ehn2rduuPQepADD=2Jj45ba5ncG52i9vYA@mail.gmail.com> <CABcZeBOi2g3X3oSuWuSzUWxTwSCG=auxVzjy+aJEKemVZU7W9Q@mail.gmail.com> <CAChr6Swy76TV=w4sn0VBns1U912rBjYS+DVpR46jPVU6E879fg@mail.gmail.com> <BN8PR21MB120256255A71749066FA7671FACE0@BN8PR21MB1202.namprd21.prod.outlook.com> <CAChr6SwLntKYYPw5e8EerUaj3U_tGoVoRkNu35nmvrdp6ZDnZw@mail.gmail.com>
In-Reply-To: <CAChr6SwLntKYYPw5e8EerUaj3U_tGoVoRkNu35nmvrdp6ZDnZw@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 16 Jul 2019 17:10:29 -0700
Message-ID: <CAChr6Szm9q1japfxLMVDEt7LN8bR7EKczL0_qVwowmmq87M7dg@mail.gmail.com>
To: Tommy Jensen <Jensen.Thomas@microsoft.com>
Cc: Eric Rescorla <ekr@rtfm.com>, dnsop WG <dnsop@ietf.org>, Paul Vixie <paul@redbarn.org>
Content-Type: multipart/alternative; boundary="000000000000d79b72058dd55214"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ReFdMHAfHcjXpsKep9x1VZjRj0s>
Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 00:10:50 -0000

Hi Tommy,

I also noticed that your email client rewrote the link to "The Register", a
site that everyone knows, which then linked to NY Times, etc.

It used the domain "nam06.safelinks.protection.outlook.com". Why would that
domain be necessary if DNS-based security worked?

thanks,
Rob


On Tue, Jul 16, 2019 at 10:32 AM Rob Sayre <sayrer@gmail.com> wrote:

>
>
> On Tue, Jul 16, 2019 at 10:20 AM Tommy Jensen <Jensen.Thomas@microsoft.com>
> wrote:
>
>> The link you shared indicates the problem is RC4, which was removed from
>> TLS in 1.3 for this very reason. This doesn’t demonstrate TLS 1.3 is
>> vulnerable; it demonstrates why adopting TLS 1.3 is so important.
>>
>
> Yeah, that's one part of it, but some of the other approaches described
> are more general.
>
> thanks,
> Rob
>
>
>
>>
>> Thanks,
>> Tommy
>> ------------------------------
>> *From:* DNSOP <dnsop-bounces@ietf.org> on behalf of Rob Sayre <
>> sayrer@gmail.com>
>> *Sent:* Tuesday, July 16, 2019 8:46:42 AM
>> *To:* Eric Rescorla <ekr@rtfm.com>
>> *Cc:* dnsop WG <dnsop@ietf.org>; Paul Vixie <paul@redbarn.org>
>> *Subject:* Re: [DNSOP] Fwd: [Add] new draft:
>> draft-grover-add-policy-detection-00
>>
>> On Tue, Jul 16, 2019 at 6:41 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>
>>
>> The certs are public information, so having the certs isn't useful. Can
>> you please be clearer about the attack you are describing?
>>
>>
>> Sure, here's an article about it:
>> <
>> https://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theregister.co.uk%2F2013%2F09%2F06%2Fnsa_cryptobreaking_bullrun_analysis%2F&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C496a0b49339349ac921308d70a04e0de%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636988888386522988&sdata=SbICd7%2FtkDlhh1zyusjw75CRgg6KHhbpzH0Efn%2BoBew%3D&reserved=0>
>> >
>>
>> Do you have any thoughts on that?
>>
>> thanks,
>> Rob
>>
>