[Hipsec] Re: some comments on draft-ietf-hip-dns-09
Julien Laganier <julien.IETF@laposte.net> Thu, 12 July 2007 17:01 UTC
Return-path: <hipsec-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I9236-0007Yo-UC; Thu, 12 Jul 2007 13:01:52 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I9236-0007YV-7Q for hipsec@ietf.org; Thu, 12 Jul 2007 13:01:52 -0400
Received: from ug-out-1314.google.com ([66.249.92.172]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I9231-0002x0-Lv for hipsec@ietf.org; Thu, 12 Jul 2007 13:01:52 -0400
Received: by ug-out-1314.google.com with SMTP id u2so1021679uge for <hipsec@ietf.org>; Thu, 12 Jul 2007 10:01:46 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; b=n+aqcsAVLWQzyNg4h0cFqwO1OeHp8dW/p3ibery7rycvhjzs78IXhqq4ef+JxXPucpTVoGMcynz7msNd7j77CJx/RCyZP1pfDfd5S6BjcYuoQbJ1cQlD8DPvVlKNpBrdKYWYGbhlh006QkZOyVQEXPXvgTLZLGYzhZmj97LQ1rw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; b=pOiH8gVCUiY+ceJCHoi/JhLFKMI1kpIf0vxMDma4MhHsExzEyEbffe1CKLIhAH8AEoIhqJJKtXq5uLLWQRAFuYcylwKBk34llDY7ihvA9PzPrM/L9MXrjF4VSLYV/VyeqKgbYDLTtaMKJinarP/QarCidjNK8E+psSlTi2zoqsk=
Received: by 10.82.160.2 with SMTP id i2mr816998bue.1184259706605; Thu, 12 Jul 2007 10:01:46 -0700 (PDT)
Received: from ?192.168.1.105? ( [212.119.9.178]) by mx.google.com with ESMTP id 6sm7118208nfv.2007.07.12.10.01.44 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 12 Jul 2007 10:01:45 -0700 (PDT)
From: Julien Laganier <julien.IETF@laposte.net>
To: gabriel montenegro <g_e_montenegro@yahoo.com>
Date: Thu, 12 Jul 2007 19:03:33 +0200
User-Agent: KMail/1.9.1
References: <396019.56274.qm@web81907.mail.mud.yahoo.com>
In-Reply-To: <396019.56274.qm@web81907.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200707121903.33967.julien.IETF@laposte.net>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
Cc: hipsec@ietf.org
Subject: [Hipsec] Re: some comments on draft-ietf-hip-dns-09
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org
Hi Gabriel, On Tuesday 10 July 2007 09:59, gabriel montenegro wrote: > I realize these comments are soooo late they might > instead be considered early for the next revision of > the document. Your call. Later is better than never :) Thanks for the comments! > I'm not a DNS expert so have no comments on those > aspects of the draft. I do have some concerns. > > First technical comment: > Section 5.1 only specifies RSA and DSA. Suggest > including ECC as well and getting on with the > times... I never thought about this. This is something that the working group may consider. Note however that including ECC in the DNS RR would not be sufficient; the HIP protocol would also need to be extended/modified to be able to handle ECC public keys and signatures. [...] > But my main concern is with the fact that this RR > encodes a raw public component. This is dangerous. > With CGAs, the assumed (as far as I can see) usage > is that they are meant for ephemeral (short-lived) > usage. But by publishing HIs in the DNS, we are > promoting them as long-lived entities. Accordingly, > the usual knee-jerk reaction to any such usage of > public key technology is: how do you handle > revocation? By encoding a raw public component you > now rely on the DNS to control usage of that HI. > This is a dubious proposition. If, however, the > encoding allowed for HIs to be certificates > (self-signed or CA-issued, whatever) then you could > have the flexibility of populating certain fields to > aid in revocation by pointing at OCSPs or aid in CRL > resolution, without *exclusively* relying on > DNS-based mechanisms to limit usage of the HI in > question. I've never thought too much about revocation in the context of HIP... It is possible to control (i.e. limit in time) usage of the HIs by limiting the TTL of the DNS zones in which you store HIP information. As you note the HIP protocol itself has no provisions to handle certificates with OCSPs as HIs. One guess is that it might have been a design choice, that the identifiers used by HIP are purely flat, non-hierarchical, and can't be traced back to any kind of authority. I am however certainly not right, others on the list might know better... Also, and FWIW, HIP would not be the first protocol to store raw public keys in the protocol, since there's already "A Method for Storing IPsec Keying Material in DNS" [RFC4025]. I do not have a strong opinion on the matters. I think your proposal of allowing HIs to be certificates is interesting. What does the WG at large think of that? --julien _______________________________________________ Hipsec mailing list Hipsec@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hipsec
- [Hipsec] Re: some comments on draft-ietf-hip-dns-… Julien Laganier