IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

Paul Wouters <paul@nohats.ca> Fri, 08 April 2022 14:40 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 061FA3A0D35 for <dnsop@ietfa.amsl.com>; Fri, 8 Apr 2022 07:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n7m9dQF0dsvS for <dnsop@ietfa.amsl.com>; Fri, 8 Apr 2022 07:40:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70EC13A0D2A for <dnsop@ietf.org>; Fri, 8 Apr 2022 07:40:31 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4KZgs92YYQzDh9; Fri, 8 Apr 2022 16:40:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1649428829; bh=k+H578pp8XVzShfOqwl3Cq8VHLfMMDRh1AQOU/sWrwI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=oVzuVM3pKrp6/JeDZ08faj5U0P3pr1p+7k/eQDE0pADgg0awmrPsuAh9W78pNjGMd iJ1DrQiHcCc7DwB6wkCJy1PpT32NrvAOe7Ojk6R/DKsCLB98M0KO72yGhTbIYz+vdo u2qm0uhWvzDHrmipGI3Zz7IBGQQkXHR/WiIoahcA=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id xbfqttBotZoF; Fri, 8 Apr 2022 16:40:28 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 8 Apr 2022 16:40:28 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 536182DC05E; Fri, 8 Apr 2022 10:40:27 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4FF692DC05D; Fri, 8 Apr 2022 10:40:27 -0400 (EDT)
Date: Fri, 08 Apr 2022 10:40:27 -0400
From: Paul Wouters <paul@nohats.ca>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <0e2dffab-6afc-b1b6-9028-175f89f0d29e@necom830.hpcl.titech.ac.jp>
Message-ID: <b3bf6748-be6d-a287-27e4-87af36ab10@nohats.ca>
References: <57f1c37b-497c-e1a0-329c-4b9c8b7e197b@necom830.hpcl.titech.ac.jp> <A9F689C9-4ABF-4947-AA6B-56E2F0C17D13@nohats.ca> <9732682e-78e7-f6bf-84fc-685de22d5e12@necom830.hpcl.titech.ac.jp> <350d8ab8-0477-b656-8b08-56f7561a7fda@necom830.hpcl.titech.ac.jp> <CAH1iCiqkAPHq1QBKdkbh86j8UhimjEMG9DU15O9Tkch4BedBjg@mail.gmail.com> <0e2dffab-6afc-b1b6-9028-175f89f0d29e@necom830.hpcl.titech.ac.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SuD5W9VLJk7KzEVeUfAM_NiOap8>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2022 14:40:36 -0000

On Fri, 8 Apr 2022, Masataka Ohta wrote:

> First, "CA" is terminology not specific to WebPKI, whatever
> it means, but PKI in general including DNS. That is, a DNSSEC
> TLD is a CA.

This is incorrect. Or rather, it is equivalent to a CA with a
very strict path constraint of being within the TLD. In your
favourite terms, diginotar as DNSSEC entity would have only
been able to mess up .nl and not any other TLD, if it had been
a "DNSSEC CA" instead of a "webpki CA". The hierarchical space
offers better security than the flat webpki.

> Second "any CA which is weaker than some TLD" means not
> "cryptographically weaker" but "operationally/physically
> weaker". As such, your conclusion can only be "DNSSEC is
> more operationally/physically secure than WebPKI"

You keep conflating operational security with protocol security, and
insisting protocol security is not needed because operational security
is always the weaker link.

But you are not offering any alternative ("larger plaintext cookies"
is not a security protocol) and therefor imply we should abandon every
cryptographic protocol in the name of "false security".

So please tell me why you use TLS at all? Why not force your browser
into only using port 80? You can also use extra long HTTP header
cookies.

Paul

v2.23.0 | Report a Bug | By Email