Re: DNS vs PKI, was Quic: the elephant in the room
Michael Thomas <mike@mtcc.com> Sat, 10 April 2021 18:55 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EBB93A0EFF for <ietf@ietfa.amsl.com>; Sat, 10 Apr 2021 11:55:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Level:
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jr-nGde0948w for <ietf@ietfa.amsl.com>; Sat, 10 Apr 2021 11:55:01 -0700 (PDT)
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A0353A0EFA for <ietf@ietf.org>; Sat, 10 Apr 2021 11:55:00 -0700 (PDT)
Received: by mail-pg1-x533.google.com with SMTP id y32so6256502pga.11 for <ietf@ietf.org>; Sat, 10 Apr 2021 11:55:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=PqNumrUZdhfF0vsGMSA4rjd7EIfSXSG+64WFsQmoY4g=; b=VrrWj1MiaMyo1gDRZkR8hl0gerHKfHFINlCK9NG8u6r8X500tkc1MjarXeLFw+e5lA IlOGl3Gcj7/IyvtrPAhtrPsBzT1LUuuickz0dILawAyB+Bko4srzXXgbU1EIpfNEA6YK rF2W8CBFgj5EA7KhL0cnUP0Zv7rknnYHd/S56RAeVcALAxidhqtxW5OwzfGrh+YvvF7D aOyRlSBSMvdntwjtjPoLL4XNp/Hrhj2+vaX/TXxgNhrGN1FsMmN083LajiSouCC9GPdw rx4qZSgDszrY+vWaEjQmoEUXc79GoTCUym7l7wNJHY9eWUdsoX4uOcaCav07OREictYH 5nsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=PqNumrUZdhfF0vsGMSA4rjd7EIfSXSG+64WFsQmoY4g=; b=sAPtPfcB0OalKAmKyw+N6Vi4qvn5hLQ8OSt9jYM5YAPdvL9RSUsLTTj2XgvP4UlupM FcK1JTYDCBvADQ+X/S7e1MgGroHj0GlBeQgMeXoHJsDUMW1x3UKWbHO04NBqgaL8bM/H RSnd5JgTcZmS4QnZSUkgmCKeaNUHVZxo0VtNPpMihXpTzKORBLrA8juEO5E7bWo4M+LE SaVZjlATTNgAJ8tWO6fijbeM7NxU+YpuecPS2+Dd8nlG1/CF8UKtNdJV3EZyIwm48zMG 191F/jjETof0MzqVXAXnccDZO4EVdUAj0YwrjCBDaUsnG6tWrtjVptxvM5vO24EwZIxK +bhw==
X-Gm-Message-State: AOAM530YblVq94YIwnE+aRK6OYkwA02C8nLRvMoiR1txPzI+0vuQ/lcB bzQzicKRWteaIgQZ1S8qTQBbb2wVdCx/rQ==
X-Google-Smtp-Source: ABdhPJxLV+gfxRt3oU+AC4neT9Zpg3teucL6mK35hDHWZW3G2aCV3SDUwIvY0dB8Tpk0lqIf9Pn8og==
X-Received: by 2002:a63:1f4d:: with SMTP id q13mr8522414pgm.453.1618080899537; Sat, 10 Apr 2021 11:54:59 -0700 (PDT)
Received: from mike-mac.lan (107-182-38-56.volcanocom.com. [107.182.38.56]) by smtp.gmail.com with ESMTPSA id i126sm2272052pfc.20.2021.04.10.11.54.58 for <ietf@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 10 Apr 2021 11:54:59 -0700 (PDT)
Subject: Re: DNS vs PKI, was Quic: the elephant in the room
To: ietf@ietf.org
References: <20210410183122.CAD6E72A273B@ary.qy>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <79746317-2788-955d-baac-a24b198e95a4@mtcc.com>
Date: Sat, 10 Apr 2021 11:54:57 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <20210410183122.CAD6E72A273B@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/CYm1SHgK835Z-GDOVY_NmGpemn8>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 18:55:06 -0000
On 4/10/21 11:31 AM, John Levine wrote: > It appears that Viktor Dukhovni <ietf@ietf.org> said: >> Ben's claim that CAs are "more secure" than DNSSEC is demonstrably >> in error in a world where all that CAs do is issue DV certs that >> attest to "domain control". > More than that, the security of your DNS depends on the providers in > the chain between you and the root, which is typically short, and over > which you have a lot of control. If you have a valuable domain, you > can use a high security registrar that applies controls to zone > changes. With PKI, your security is only as good as the worst of all > of the CAs in someones browser, nearly all of which have no relation > to you and most of which you've never heard of. > > This is not a new argument and I doubt we're going to say anything new here. > The jist of my post was not that there was something new, per se but that there are many companies like google, ms, apple who are in a good position to run an experiment and see how it pans out from a deployment standpoint. One of the good things to come out of quic and spdy is the revelation that if you own both ends of the platform, you don't have to get buy in to just see if you're on the right track or not. I mean I could build up an experiment just to show proof of concept, but I don't have the ability to see in the real world how much it helps like the real world data they got with quic and spdy. Heck, maybe even IETF or W3C could have a hand in coordinating experiments so that they can be fed back to the appropriate working groups. Like I said, probably the biggest takeaway of quic is that we can prove whether something deserves more work or not instead of usual Build it and They Will Come failure mode which DANE seems to be suffering as well from what I can tell. Mike
- Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Stephane Bortzmeyer
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: DNS vs PKI, was Quic: the elephant in the room John Levine
- Re: DNS vs PKI, was Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room Viktor Dukhovni
- DNSSEC architecture vs reality (was: Re: Quic: th… Keith Moore
- Re: DNSSEC architecture vs reality (was: Re: Quic… Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality (was: Re: Quic… Viktor Dukhovni
- Re: Quic: the elephant in the room Andrew McConachie
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality Marco Davids
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Salz, Rich
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John Levine
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Mark Andrews
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Andrew McConachie
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Eliot Lear
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John R Levine
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Jim Fenton
- Re: DNSSEC architecture vs reality Masataka Ohta
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Donald Eastlake
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Viktor Dukhovni
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Vittorio Bertola
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: Fwd: Quic: the Elephant in the Room Michael Thomas
- Fwd: Quic: the Elephant in the Room Lars Eggert
- RE: Fwd: Quic: the Elephant in the Room Vasilenko Eduard
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker