Re: [Doh] Suggestion on draft-ietf-doh-dns-over-https-13: Recommend DANE-TLS to authenticate the TLS-certificate
Star Brilliant <m13253@hotmail.com> Thu, 16 August 2018 09:01 UTC
Return-Path: <m13253@hotmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF73130EF8 for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 02:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.876
X-Spam-Level:
X-Spam-Status: No, score=-0.876 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5Rs3DW0Y2dS for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 02:01:52 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-oln040092000037.outbound.protection.outlook.com [40.92.0.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AB44130EE2 for <doh@ietf.org>; Thu, 16 Aug 2018 02:01:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vqXJ9mR5mloJwuroW5qAhwL4aiV1ClLvvz/VEvW41bk=; b=mFjyEFtZK+5VUqq3urtgAJ0LlbQ9vMEPf5KypO/aLSXdKgV+5jv6ETSXcDjg/+RUEITLWholZ4EQcYWeBIHV3vzeUyf3rv7ZfZq+/mcxNl3uoAHWQgw7V9A2n/QruHgJVqXpRFQnVSzSbhdu7gHLGrCfI+Cq5US6fdDsAqZt9vE2ajoHxnd6cLiWvcMTl3StpPW4cThfuMgv2QsC0cMa4X1MllfjSk26mRgwVNED5IL/aivc+qkWm6YJB8ic1an1J2Fwu7vjeNXFhhTYexE2vQBzWh87RTupQzhluWbHiRgF4Cgq0VIrwpz3xV6JgapE/HOUtuMekRya3OqPZLOjIQ==
Received: from BN3NAM01FT060.eop-nam01.prod.protection.outlook.com (10.152.66.58) by BN3NAM01HT032.eop-nam01.prod.protection.outlook.com (10.152.66.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.1059.14; Thu, 16 Aug 2018 09:01:47 +0000
Received: from BYAPR19MB2248.namprd19.prod.outlook.com (10.152.66.54) by BN3NAM01FT060.mail.protection.outlook.com (10.152.66.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.1059.14 via Frontend Transport; Thu, 16 Aug 2018 09:01:47 +0000
Received: from BYAPR19MB2248.namprd19.prod.outlook.com ([fe80::7503:33f4:3a67:2cc1]) by BYAPR19MB2248.namprd19.prod.outlook.com ([fe80::7503:33f4:3a67:2cc1%3]) with mapi id 15.20.1059.017; Thu, 16 Aug 2018 09:01:47 +0000
From: Star Brilliant <m13253@hotmail.com>
To: "doh@ietf.org" <doh@ietf.org>
CC: "Rene 'Renne' Bartsch, B.Sc. Informatics" <ietf=40bartschnet.de@dmarc.ietf.org>
Thread-Topic: [Doh] Suggestion on draft-ietf-doh-dns-over-https-13: Recommend DANE-TLS to authenticate the TLS-certificate
Thread-Index: AQHUNTkH7tX1FPWMfkWU1/q7LTu0kKTCFPPE
Date: Thu, 16 Aug 2018 09:01:47 +0000
Message-ID: <BYAPR19MB224839928ED4EC67F094F74A943E0@BYAPR19MB2248.namprd19.prod.outlook.com>
References: <6fb4a552-8d5e-494b-f934-1f97b83b0ab6@bartschnet.de>
In-Reply-To: <6fb4a552-8d5e-494b-f934-1f97b83b0ab6@bartschnet.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:51EF87A56E991E3929FB255772E3001527B8763372726B7B0C3F3A8C0C506AEC; UpperCasedChecksum:87846B3674BD7C6304FCDA5410C79C66C79E692E20001BECA60C0D36DD55E29E; SizeAsReceived:7218; Count:47
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [wVbW/fUAdNh2RyoOr+uPVlwvvGcoZCjH]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3NAM01HT032; 6:1g96h1N2auTsu6L+i6Ifq9Q7dUTp7cswZQ3T6tqyl6Y7C6aMWzHuKG+0MINtSf6wwvl8sDmNOMXyv7m/sHb1U3oUFcz6EDgzsLgZqZk6TfeIJKVut+LfP4Axx5LT1ZFaIDxPUXZCzOFLIK0W/l7DVa4f3naSxvD2o9m7CPiqipFimdWqMe9lBNetyv4puMkJagAVQM8yglXmuNl/uGxVReOIAhFazChdmQKLX5vLCNu5KEtlp/DpF87TTg8gD65uzcaGbxnw48jL7TjgzczuCKdIXmMPn9aHZV+7nd133xjp3001zjQwW6fWAG3vrjJk4HESt0SEkBA8Q0ZimVxty7bXH2hyMcl/pKAjK2TBVHagvckElYdHTNTYunFTyqR3g6WiH5nlFApBupSsL92YhvBJ4Zcb8hfNg8TKFM5QoWso6lMWP9Au060f+Xrqo1mX7Fqdd49vCALuh9RBTCsFcA==; 5:RlWFLYYJ+3nK997R96N+1S2nRqD3HCu1UhioZ9ZDH+d75jLnWftp1WvkJudMtxAbL3VIWk+bF4TQ+CrD4wkifJY87j0sSJ9dKitoV0TnCDd4qb1+AR0s+Sa6QSRnFU2OsTl+k6PsoBs/tw1/yZVAZgY+5JaYqGqYitFBlspGwNs=; 7:bede+8oGs3Qg4S3pfXyqPWO9qP8TXyYj5Oim7K8EBWxhR3cJSEQSRazSvJpc1ARQ1pwWTuhbZoaVqk2XxenHev13uwrxUza1YUn+x4L7MMFtwcR0U+Gcmk+Vx2ZMTKkJIuQnSiNv78q2Nnj4toMOSvewunI+g8cQ+odMnfef9ItdNVd1WaBn1ddTagRuqhjTiC0fnz23LPdqPmwtJ2rcWuksHkr5M+IydIZzKFlpVdl0Eungih0YBpM6qk1FS9gY
x-incomingheadercount: 47
x-eopattributedmessage: 0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101475)(1601125500)(1701031045); SRVR:BN3NAM01HT032;
x-ms-traffictypediagnostic: BN3NAM01HT032:
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(4566010)(82015058); SRVR:BN3NAM01HT032; BCL:0; PCL:0; RULEID:; SRVR:BN3NAM01HT032;
x-forefront-prvs: 07665BE9D1
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(189003)(199004)(104016004)(6346003)(5640700003)(20460500001)(9686003)(26005)(53546011)(102836004)(229853002)(6436002)(6506007)(55016002)(2351001)(99286004)(2501003)(74316002)(305945005)(7696005)(81156014)(1730700003)(8676002)(83332001)(82202002)(73972006)(5250100002)(76176011)(476003)(4326008)(8936002)(86362001)(106356001)(87572001)(5660300001)(6916009)(105586002)(68736007)(25786009)(446003)(11346002)(6246003)(97736004)(486006)(14444005)(2900100001)(14454004)(256004)(56003)(33656002)(15852004)(42262002); DIR:OUT; SFP:1901; SCL:1; SRVR:BN3NAM01HT032; H:BYAPR19MB2248.namprd19.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: hotmail.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=m13253@hotmail.com;
x-microsoft-antispam-message-info: y+vxI/JpDMhsg/26xOslHM0EZSjRTEjYqmWQmC4IJJNC/NqLSrTyKz3Ha9ZpX8pcBLutnb0Dxkoehjvx8p3ksC5GNMXfVCklWyjQ5JufoNL3/uCVCV1KMeJEEzNXYbW2HYGpYR/+yQk/uLWktuxgbWx+DM+2rQBiE1SjO2bvoZJmtEirCC0SOib0jEMbojZ+MoPfOKX3l+skJ4t0E0okQLnO7JOZ4xRTngB69Npd4Wc=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: c001924d-3e68-4f40-89c2-901a49278da7
X-MS-Exchange-CrossTenant-Network-Message-Id: 6af5060a-9aab-4304-d70d-08d60356e5d9
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: c001924d-3e68-4f40-89c2-901a49278da7
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2018 09:01:47.3927 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3NAM01HT032
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/XyqAlf5QAcp_2AjcOkUWIoI6OpQ>
Subject: Re: [Doh] Suggestion on draft-ietf-doh-dns-over-https-13: Recommend DANE-TLS to authenticate the TLS-certificate
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 09:01:54 -0000
On Thu, Aug 16, 2018 at 6:13 PM Rene 'Renne' Bartsch, B.Sc. Informatics <ietf=40bartschnet.de@dmarc.ietf.org> wrote: > > Hi, > > as TLS-certificates forged or obtained by devious means have become common in MITM-attacks by intelligence and criminals > I suggest to RECOMMEND authentication of the DoH-server TLS-certificate via DANE-TLS (RFC 6698) in section 10 (Security considerations). Hi Renne, I am sorry I could not get your point. How could it be possible to forge TLS certificates without being detected through our current PKI systems? But I agree that we need OCSP-Stapling indeed to prevent a recursive bootstrapping problem.
- [Doh] Suggestion on draft-ietf-doh-dns-over-https… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Star Brilliant
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Star Brilliant
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Eric Rescorla
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Rene 'Renne' Bartsch, B.Sc. Informatics
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Eric Rescorla
- Re: [Doh] Suggestion on draft-ietf-doh-dns-over-h… Adam Roach