Re: Security for various IETF services
Dave Cridland <dave@cridland.net> Thu, 10 April 2014 15:37 UTC
Return-Path: <dave@cridland.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D447F1A01DD for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 08:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkwLEjFy9c2X for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 08:37:27 -0700 (PDT)
Received: from mail-oa0-x235.google.com (mail-oa0-x235.google.com [IPv6:2607:f8b0:4003:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id 6E68F1A01DC for <ietf@ietf.org>; Thu, 10 Apr 2014 08:37:27 -0700 (PDT)
Received: by mail-oa0-f53.google.com with SMTP id j17so4625866oag.40 for <ietf@ietf.org>; Thu, 10 Apr 2014 08:37:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fr2SN5DqVzg/cHCQ7mt7UcgU8R2p8PCjNVjLP23Squ8=; b=b/eApfmoVUe3UJse7MNm2lqP+VhmE/Gca04D3fXSH5EAsAU0BgDDu/XrmwTN1/CVnI Xq3u76q89au3+q6lDNh2Ty+E2elkn+lxxf7XYby5kh1PLDfeGhGmd17yq0y4CA8Tdja6 cvuOEE3S7z/GbwKViAcoHAB3v+m+6vcvS7nLM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=fr2SN5DqVzg/cHCQ7mt7UcgU8R2p8PCjNVjLP23Squ8=; b=Fuk5cne3mQuGRR/M/nBf+6bvKvhUcGDg3oxWmk/vtmM5p/TCJIVU0uFKuwKmeBrUmE OeLxPYfS9TPlMz0By1AJGg4JaMCYreN93JnEFgyyhfu1JoN/8e0G8DZnJ8Fb4vCzjtnY J/WirhjR3wCX7NZblYJlk3+DQ/aIlgKFkviLPqJauodKCU9E/quLOOxfUJBaBJAhBavw zKuP+cafoiVqyrNQhq/Llw5HOV+TU5TGWR6gcR+sPUte0MTiCqiCZoqZ6700BZWWOHBV a/JmKhE6msohix4JEtiYG82TXceP+aKBVLyUG7G6RWlEfZqmhO5LNOvsJ4BHNVeEKMnw 273g==
X-Gm-Message-State: ALoCoQk62i6e+nDmp2oQCrVCoCfDu52Amh5zXknN53tW/HvUywh2eaqy1S5U9HXF1hiSEVeUEtrX
MIME-Version: 1.0
X-Received: by 10.182.18.102 with SMTP id v6mr1494739obd.71.1397144246465; Thu, 10 Apr 2014 08:37:26 -0700 (PDT)
Received: by 10.60.93.6 with HTTP; Thu, 10 Apr 2014 08:37:26 -0700 (PDT)
In-Reply-To: <534676DB.7090002@dcrocker.net>
References: <20140409154919.11E6118C106@mercury.lcs.mit.edu> <534580AF.4080602@dcrocker.net> <20140409200814.GA15303@thunk.org> <3C46B827-BFFC-4A9E-B600-A1E79C839970@shinkuro.com> <CAKHUCzymXu0TGEYD6dQj9OVhGn2pgE9nPqDG6guV+RS+L8XTow@mail.gmail.com> <534676DB.7090002@dcrocker.net>
Date: Thu, 10 Apr 2014 16:37:26 +0100
Message-ID: <CAKHUCzzS82uk-z120zWqh+B-9i7fdhNX1bJSscXLZkG5wOQb1Q@mail.gmail.com>
Subject: Re: Security for various IETF services
From: Dave Cridland <dave@cridland.net>
To: Dave Crocker <dcrocker@bbiw.net>
Content-Type: multipart/alternative; boundary="001a11c339e682c96f04f6b1feee"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/3op43RqQvmBJgbkc0LzV8NVord8
Cc: "ietf@ietf.org Discussion" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 15:37:32 -0000
On 10 April 2014 11:47, Dave Crocker <dhc@dcrocker.net> wrote: > On 4/9/2014 3:36 PM, Dave Cridland wrote: > >> DNSSEC, and DANE, allow you to provide a "Domain Validated" public key, >> much like the cheap/free certificates currently available from CAs, but >> more reliably and simply. I think the same level of trust is there >> either way, except that the cheap/free CA certs are very weakly >> validated in practise. >> > > > What deployment and use has DANE achieved, so far? > > Like all new security technology it's slow going. In the DANE case, we're obviously limited by the deployment of DNSSEC itself as well. Within the XMPP community, which is really the only place I'm able to track, https://xmpp.net/stats.php will give you the live information, but to save you looking, the percentages are still pretty low. 83 sites out of 3283, so about 2.5%, support DANE. 6.3% deploy DNSSEC signed SRV records. We have, on those servers tested, 100% TLS deployment, but only about 49.4% of those use trusted certificates (there's a lot of CACert.org which are considered untrusted here). Given that DANE itself is not yet fully specified for XMPP, and is less than two years old, I think this is reasonable traction. These stats are gathered and maintained by Thijs Alkemade's excellent software, by the way, I don't mean to take any credit for this. I just read 'em. Dave.
- Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Fred Baker (fred)
- RE: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Douglas Otis
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Brian E Carpenter
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Scott Brim
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Martin Rex
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Martin Thomson
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Stewart Bryant (stbryant)
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Hector Santos
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services David Morris
- RE: Security for various IETF services Christian Huitema
- RE: Security for various IETF services l.wood
- Re[2]: Security for various IETF services mohammed serrhini
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Randy Bush
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services S Moonesamy
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Brian Trammell
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Spencer Dawkins
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Ted Lemon
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Matthew Kaufman (SKYPE)
- RE: Security for various IETF services Eric Gray
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services Scott Brim
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Phillip Hallam-Baker
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Noel Chiappa
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Steve Crocker
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Phillip Hallam-Baker
- Web of trust at Internet Scale Sam Hartman
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Mark Andrews
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Jelte Jansen
- Re: Security for various IETF services Stephen Kent