Re: [saag] Whether TOFU should be considered in secure DHCPv6?

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 01 September 2016 02:46 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D106612D7C1 for <ietf@ietfa.amsl.com>; Wed, 31 Aug 2016 19:46:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtkZeKZdA3Jk for <ietf@ietfa.amsl.com>; Wed, 31 Aug 2016 19:46:08 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8018B12D1AF for <ietf@ietf.org>; Wed, 31 Aug 2016 19:46:08 -0700 (PDT)
Received: from [10.7.78.209] (unknown [38.86.167.113]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 99B25284954 for <ietf@ietf.org>; Thu, 1 Sep 2016 02:46:07 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Subject: Re: [saag] Whether TOFU should be considered in secure DHCPv6?
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <m2wpiwqtt4.wl-randy@psg.com>
Date: Wed, 31 Aug 2016 22:46:05 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <F39581CB-808F-4BAE-B017-FB820619F546@dukhovni.org>
References: <CAJ3w4NcbueARjfCH4kUkj8Znt2fLOHc4jxPN5GFrYiWsHF=wXg@mail.gmail.com> <09c0e199-07e7-81b2-e414-3920672950b7@cs.tcd.ie> <CAJ3w4Ndo6HVpLotpj426fbzj90rQZvNLsttDUocfFOarSWNFAQ@mail.gmail.com> <m2a8fssc7i.wl-randy@psg.com> <CAJ3w4NcUtOr=8-v+Bg6Sm4yPqsbTGO4RBYEGgq9Bc6N31HMHfA@mail.gmail.com> <m2wpiwqtt4.wl-randy@psg.com>
To: ietf@ietf.org
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/PK6X981Urgryx3VG6t5O3gaGi_Y>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 02:46:10 -0000

> On Aug 31, 2016, at 9:42 PM, Randy Bush <randy@psg.com> wrote:
> 
> what is authenticated?  tofu and authentication are antithetical.

Except for (allegedly) EV certs, the entire Web PKI runs on TOFU,
except that it happens invisibly (swept under the rug) between the
CA and the purported domain owner.

Thus DV certs are TOFU for public consumption, where the CA gets
to regurgitate the same TOFU to feed all the relying parties.

-- 
	Viktor.