Re: Near-Real-Time TLS and DNS Validation using a Multi-Vantage-Point Network of Secure Mirrors

John R Levine <johnl@taugh.com> Sat, 17 August 2024 00:12 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5996C180B57 for <ietf@ietfa.amsl.com>; Fri, 16 Aug 2024 17:12:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="Bd5hHB0A"; dkim=pass (2048-bit key) header.d=taugh.com header.b="MJ1LoJR2"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvSBV61GhsLy for <ietf@ietfa.amsl.com>; Fri, 16 Aug 2024 17:12:32 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42145C180B5D for <ietf@ietf.org>; Fri, 16 Aug 2024 17:12:31 -0700 (PDT)
Received: (qmail 34313 invoked from network); 17 Aug 2024 00:12:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=860266bfeaec.k2408; bh=MJN7D7PV4TxeZS+/3YteLrtfpfXIArRnTyWopA69qSY=; b=Bd5hHB0AOqiz02NNkabClTjYh8scTheAIn259nQ2iS2M12jokTK52eIykVxpWJfRqpqkRWSjUH+U1NA+LiBw5bIYM3mowSScYEQ6Hj8RlGthIew5E7khr888+7fEB6A3LKPZkARY/vkf/vVyUekjjI35sFHKtWts5lXUonW4FgpzWqsyoISKWWHZhskywuDC5omuETQBCQEyMnsmy7nePzwagZrr4z6joqxVSgtIyZROyNvSkkRjMjBzTm10TdXu5pBF+57uq394DKFAYPfq0frZAgh4wW9+Qcd94S8IaAxLlJACnWbt2JxT4I2C38gNJRD0A7L++K/Z6VqgzMRxZA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=860266bfeaec.k2408; bh=MJN7D7PV4TxeZS+/3YteLrtfpfXIArRnTyWopA69qSY=; b=MJ1LoJR2E+gJsGXvKg0NLKiTJ5Va/7jg9RkFp2LE7AimTtweNpVZnik2TkAzGL3ckS9DpPqQceoMeCdfyK2IF5vYv+PacyJmQ5PrCjNFo8gKCb9m/DDg4cR2cKfUvukRnsLCTFl+OAKy+dgGAZ1eqB3ECN4YeS6Ux++DhiSFnR4DZSkHElWYI4sGntoES+S01xwMSdbXNO1Cz20FMxYLs78ko8ePoiB6UB+VGQPUKSRmCQTKxhmTHk4Vq/jToX6Pf5SBXzgB3mqgL4cMqzimyrwTFrCdBqCBrIi8VvZsq3b6i78yWmmB0KI6IEwLNegxW6LSbi3eNPtmbtpvYUXkkA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 17 Aug 2024 00:12:28 -0000
Received: by ary.qy (Postfix, from userid 501) id E101C91E4AF9; Fri, 16 Aug 2024 20:12:26 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 6D7D691E4ADA; Fri, 16 Aug 2024 20:12:26 -0400 (EDT)
Date: Fri, 16 Aug 2024 20:12:26 -0400
Message-ID: <1c7482fc-e3aa-bf8c-d4a5-e8bad8143021@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Nick Lockheart <lists@ageofdream.com>, IETF general list <ietf@ietf.org>
X-X-Sender: johnl@ary.qy
Subject: Re: Near-Real-Time TLS and DNS Validation using a Multi-Vantage-Point Network of Secure Mirrors
In-Reply-To: <2e87d14ff55ff38e0d7397b3518d1b23a7e56dd8.camel@ageofdream.com>
References: <0b313823746be8de9c9b0ba59e0f2252ae42e036.camel@ageofdream.com> <CAKr6gn3fA51Y9kb3RJx=C_en3Bi-DgRGbicfpqtZWd7RRaCxAw@mail.gmail.com> <5350.1723669821@obiwan.sandelman.ca> <070c74b38d44ad9c677c9e282646cb9caac4fc42.camel@ageofdream.com> <2a32c4e310f6c543b19d136ecd2cef3083d5de6e.camel@ageofdream.com> <20240816140729.16DA091E2832@ary.local> <2e87d14ff55ff38e0d7397b3518d1b23a7e56dd8.camel@ageofdream.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Message-ID-Hash: T7HNR4NDESLOFRUR6WPC76VIPC6M4MIR
X-Message-ID-Hash: T7HNR4NDESLOFRUR6WPC76VIPC6M4MIR
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ietf.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
List-Id: "IETF-Discussion. This is the most general IETF mailing list, intended for discussion of technical, procedural, operational, and other topics for which no dedicated mailing lists exist." <ietf.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/FUZxjwNDgUQV87m2nQJHx7I8xeM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Owner: <mailto:ietf-owner@ietf.org>
List-Post: <mailto:ietf@ietf.org>
List-Subscribe: <mailto:ietf-join@ietf.org>
List-Unsubscribe: <mailto:ietf-leave@ietf.org>

On Fri, 16 Aug 2024, Nick Lockheart wrote:
> That is, Chase Bank's chase.com certificate should only be signed by
> the JP Morgan IT department.

I don't understand how that's supposed to work.

I'm looking at two web sites chasebank.com and chasebankusa.com.  Both 
have signatures claiming they are from JP MORGAN CHASE BANK, 383 MADISON 
AVE, NEW YORK NY 10179.  How do I tell which, if either, is real?  Once 
I've done that, am I expected to do the same thing for each of the hundred 
other web sites I visit each day?

R's,
John