Re: [DNSOP] [dns-privacy] DNS stamps
Ted Lemon <mellon@fugue.com> Fri, 10 January 2020 18:03 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DADF120A81 for <dnsop@ietfa.amsl.com>; Fri, 10 Jan 2020 10:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60pQ4XSI9XmZ for <dnsop@ietfa.amsl.com>; Fri, 10 Jan 2020 10:03:35 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2329F120A52 for <dnsop@ietf.org>; Fri, 10 Jan 2020 10:03:35 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id x8so1338301pgk.8 for <dnsop@ietf.org>; Fri, 10 Jan 2020 10:03:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Xq2BYymnf/Nn0R8UexhZpVFF8NQjIwLn63BuNwH5TfA=; b=0owml/X3c3KNz2Bbhq1MpuvY45O+M9/O2H9VOomZuKVvII/TM0rkJD5VNwHShzmJQ3 NsWEk1cwZeec7hyxcxtF9nZDvF2Y2D2Jo+1ImgI2D44w9fP/wuCb0QeNZuNv8F6M+5JT 1VydEKhM9DJoXXcfemIhWF+zzQCgEHo19bde9k4rQAtwcKMl8LKjvNZlLjUvBDIet04g cmVFAr3Q9z9/p5nLvgTTkjfl+X1ywgNLMv1Po/cj8yet2PdzHQ8FtNDlZbAss3QJIaoB rxCHFYW0tw/KguGqS2M36UbrkfjiwpcASb0wPD50+swDcjva4NsvGiT39J7AGOrn+Zt9 DOSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Xq2BYymnf/Nn0R8UexhZpVFF8NQjIwLn63BuNwH5TfA=; b=XdhEx7YTcW3gIzc5PCc+nuolsyRS6WVC4jfHEg7UGSJi8fbvRrMqPQSfUqIxsl5Vij FrKyN9EMLsDXty1ioN+gL1SOp5eW2AO2GYUrDLdKXSQpLKHY8CNKweBSoLrvEgG/FaMq GpL8PPMo2u9Wcwsh5xoWuGjYhybDKRoovnfFlYWP2MaQVBTV5nx7UvvMtMfB15aolLl2 6Wjei9sG+u7yhk/VkTvKJzc7AsAsh1KHCJKZg34GcFnz4GwK5NAg/7m3+eEglktPW3dc YwfvIOLTtI4Fmisw4oTFsoN57h2RIHQuRVo1+CSH/AZf4M/FDES/4CGpmuLfksQCOSi6 N9Tw==
X-Gm-Message-State: APjAAAVFp+n28+d4WBqZtp2kXCwYCclNPo8tVbbRyqefkbf0z4Nrz8xm +15r6cfSpKOG3tX/Fb2UHKztKg==
X-Google-Smtp-Source: APXvYqzKSslqSPVc9ffSHk/oy7TIai2RnWsJICTRAwu11OWMZOOahzme4eRwaIhW3I/IyEYVhNLVHw==
X-Received: by 2002:a63:6507:: with SMTP id z7mr6034989pgb.322.1578679414615; Fri, 10 Jan 2020 10:03:34 -0800 (PST)
Received: from encantada.scv.apple.com ([17.192.170.45]) by smtp.gmail.com with ESMTPSA id q11sm3724689pff.111.2020.01.10.10.03.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Jan 2020 10:03:33 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.4\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <B2CA0A24-7F5F-4B3C-A59B-D5C3DAA95ADC@gmail.com>
Date: Fri, 10 Jan 2020 10:03:32 -0800
Cc: Vladimír Čunát <vladimir.cunat+ietf@NIC.CZ>, dns-privacy@ietf.org, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E9E7B39B-87F5-4D42-B418-D1FACE3DFB91@fugue.com>
References: <20200109143554.GA24757@nic.fr> <B0E87CB4-7CD4-4A12-A58C-1A3BEF104540@fugue.com> <c5e55d18-26b5-6103-7f86-031d2699ff42@nic.cz> <DD5E13AA-8CB1-4698-8892-FF9C470FCDC0@fugue.com> <addcd575-994c-250e-28c9-24b26ebf7244@nic.cz> <B2CA0A24-7F5F-4B3C-A59B-D5C3DAA95ADC@gmail.com>
To: Dan Wing <danwing@gmail.com>
X-Mailer: Apple Mail (2.3608.80.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZTU89XsrCMx8PRqtXW6fCQxZFeQ>
Subject: Re: [DNSOP] [dns-privacy] DNS stamps
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 18:03:37 -0000
On Jan 10, 2020, at 9:45 AM, Dan Wing <danwing@gmail.com> wrote: > The signature could be retrieved and validated separately from the stamp itself. For example, after getting the DNS stamp, retrieve a well-known DNS object (TXT, new RR, whatever) which is signed by the external entity. That would keep the signature short and keep the problem away from the signature. With that, DoH could obtain the signature from the TLS certificate itself, if we wanted, rather than by retrieving a (DNS) object Sure, if the stamp had a validation process, that would address one of the issues I raised. :)
- [DNSOP] DNS stamps Stephane Bortzmeyer
- Re: [DNSOP] DNS stamps Ted Lemon
- Re: [DNSOP] DNS stamps Vladimír Čunát
- Re: [DNSOP] DNS stamps Ted Lemon
- Re: [DNSOP] DNS stamps Vladimír Čunát
- Re: [DNSOP] [dns-privacy] DNS stamps Dan Wing
- Re: [DNSOP] [dns-privacy] DNS stamps Ted Lemon