Re: Quic: the elephant in the room

Phillip Hallam-Baker <> Sun, 11 April 2021 14:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 89BE53A0E95 for <>; Sun, 11 Apr 2021 07:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3MAfKuIKDka0 for <>; Sun, 11 Apr 2021 07:56:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 39A923A0E93 for <>; Sun, 11 Apr 2021 07:56:16 -0700 (PDT)
Received: by with SMTP id k73so5829844ybf.3 for <>; Sun, 11 Apr 2021 07:56:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=SaAo1wYBJmZDm9YAL8bs5lfMz9LsB+EFOAVtV2gjOEw=; b=jwDsZlnkqAHhdSCfR78HyoX2HJD/34en0zkOaN3cYe230XneuUkeYT4H+lviGz3gH/ HrR+0gOeZq3ZOhKB5mLX/UGfttG19jxhUaS1P2OXa9ody0kzf+7cXJvjy0U8DJ698qm9 nnlJZJFmqmjjm6oN02e0opSqNyC3BoATIfe1ske4I11pxZ6aTGfiPmkNjcYQc0tUtREJ xVF6VObr2YoSRRgoFKeRBCffiSF48wi220oHh0hekl8xwN6Y47it6QVqI0rtconzhAVt AMmOqZOa5gTO/VlockBha5LkDDa8GMo0xrslXxmYAOuMmLWlFusGETcaa1XdAkKjm+4o 1HPQ==
X-Gm-Message-State: AOAM532lZIoSxMtThppW4hkUqNk2WhT5NaogZQ0eZ4SDhBtuhZxUYqa1 yfCKEdOlGaj9awQMYclIUTUWjSYniAon7as9Xsdxyl+mnSGxiQ==
X-Google-Smtp-Source: ABdhPJz+oqTv8H2upmZrKJs6cQW4Q8FIhSC416KYvQm+U3iJyrkPs6lMJKrbhTOWghz+AovBqgGy/DrQJG5EUWrm7Mw=
X-Received: by 2002:a5b:d41:: with SMTP id f1mr33710042ybr.523.1618152974903; Sun, 11 Apr 2021 07:56:14 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <20210410175712.GF9612@localhost> <> <20210410195048.GG9612@localhost> <> <> <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Sun, 11 Apr 2021 10:56:03 -0400
Message-ID: <>
Subject: Re: Quic: the elephant in the room
To: IETF Discussion Mailing List <>
Content-Type: multipart/alternative; boundary="00000000000042ee2e05bfb399f8"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 Apr 2021 14:56:21 -0000

On Sun, Apr 11, 2021 at 12:36 AM Viktor Dukhovni <>

> On Sun, Apr 11, 2021 at 12:20:28AM -0400, Phillip Hallam-Baker wrote:
> > Only VERIFYING digital signatures provides security. And nobody knows
> what
> > to do when DNSSEC validation fails so nobody really does it
> This is false both in premise and conclusion.  I was tempted to ignore
> the rest of the post, but ...

If nobody is ever going to check the sigs, they could simply be random

I had a PGP sig on some of my USENET posts for a while. Nobody ever checked
it and nobody ever noticed it was a static sig that never changed.

> > On the trust root issue. Alice should be the root of trust for Alice, Bob
> > should be the root of trust for Bob. That is what I have been building.
> And
> > with an application that secures data at rest without rendering it
> unusable.
> I concur that the mesh is a good idea worth pursuing, you don't need to
> try to prove everything/everyone else wrong in order be right.

There are two possible ways forward. One it to use the Mesh itself and the
other is
to backport ideas proven in the Mesh back to the legacy system.

To justify the deployment of a new infrastructure, I do have to show that
backporting is infeasible. I have paid particular attention to the reason
the failure of DNSSEC and DANE precisely because I want to understand what
the criteria are for success.

The conclusion I find it difficult to avoid is that it is possible to graft
security features onto an insecure system but it is not practical to move
from an insecure default permit environment to a secure default deny