Re: Security for various IETF services

Dave Cridland <dave@cridland.net> Thu, 10 April 2014 21:34 UTC

Return-Path: <dave@cridland.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2648C1A01BA for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 14:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eb30crElXe25 for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 14:34:48 -0700 (PDT)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id ACAA81A0073 for <ietf@ietf.org>; Thu, 10 Apr 2014 14:34:48 -0700 (PDT)
Received: by mail-ob0-f172.google.com with SMTP id wm4so5132230obc.3 for <ietf@ietf.org>; Thu, 10 Apr 2014 14:34:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=grZxw5ma3bXKfgTknJhnZDANyp4kuLyFNo3uW+AeqRo=; b=SZX9jq1DlMjwdOptLydTlA1ECm/o14Qip9NdfTrtWYmSDpoUR6uBDVBCGmOik0G6wZ 720SBfyehpHGgRLMJj6n0uvuBwKgqDw1U1OL07ykyPsOe/gRHcVl6f+7CoDGE6/i8r0E XQrJhC2gQKTZ0QqN8fQlgtVHKDMW2F99wMVvc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=grZxw5ma3bXKfgTknJhnZDANyp4kuLyFNo3uW+AeqRo=; b=UKM6xcqNp1li2KjIOi73Y0scuqlqWCzdvBjbC/hXcz2Vz8NXcmsHUNDJj/O7qzWedA F1RbeEbmiWug/jHT1qqETzxos6p2fMLvz6YXTIX1SN9Wfo0R+qOWNaKZczZvsnrwhJEY xcuRgKT9N7nNy+4YIiJJoEVCDYkdECr0lqJkS3e1Ge/AtyhUWLI/il1L4x6tsmdqS0X5 wSnyh94JWN8Z6GvZY5u9XbpRk+LzjKjVptwCn7ejaajsLqx3CZyvYgyR2/YQ4vNxIU0I yrk6pSIMFjYIAjBdya1bbTXBXfwrUTYySetk9P7dRrbyPAJFoSvrdOS9iMbiGnpnXEux tmRQ==
X-Gm-Message-State: ALoCoQlBdvGeIUX2dg2JfyNCrydNQKLNwzkvMWkTTFVRuepcrgywfOJr2nC0Xyt1YxIdSVdYd2W+
MIME-Version: 1.0
X-Received: by 10.60.157.202 with SMTP id wo10mr4074860oeb.9.1397165687491; Thu, 10 Apr 2014 14:34:47 -0700 (PDT)
Received: by 10.60.93.6 with HTTP; Thu, 10 Apr 2014 14:34:47 -0700 (PDT)
In-Reply-To: <CAKHUCzzS82uk-z120zWqh+B-9i7fdhNX1bJSscXLZkG5wOQb1Q@mail.gmail.com>
References: <20140409154919.11E6118C106@mercury.lcs.mit.edu> <534580AF.4080602@dcrocker.net> <20140409200814.GA15303@thunk.org> <3C46B827-BFFC-4A9E-B600-A1E79C839970@shinkuro.com> <CAKHUCzymXu0TGEYD6dQj9OVhGn2pgE9nPqDG6guV+RS+L8XTow@mail.gmail.com> <534676DB.7090002@dcrocker.net> <CAKHUCzzS82uk-z120zWqh+B-9i7fdhNX1bJSscXLZkG5wOQb1Q@mail.gmail.com>
Date: Thu, 10 Apr 2014 22:34:47 +0100
Message-ID: <CAKHUCzzxu-RQyMMEtXRxmgu6UHy7q9j-DPa2S3mZ9-_Efk9bRQ@mail.gmail.com>
Subject: Re: Security for various IETF services
From: Dave Cridland <dave@cridland.net>
To: Dave Crocker <dcrocker@bbiw.net>
Content-Type: multipart/alternative; boundary=047d7bd6c5e87ee44b04f6b6fccc
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/hHzMWuSaWAwlvC1he7dJCCYZJlI
Cc: "ietf@ietf.org Discussion" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 21:34:53 -0000

On 10 April 2014 16:37, Dave Cridland <dave@cridland.net> wrote:

> On 10 April 2014 11:47, Dave Crocker <dhc@dcrocker.net> wrote:
>
>> On 4/9/2014 3:36 PM, Dave Cridland wrote:
>>
>>> DNSSEC, and DANE, allow you to provide a "Domain Validated" public key,
>>> much like the cheap/free certificates currently available from CAs, but
>>> more reliably and simply. I think the same level of trust is there
>>> either way, except that the cheap/free CA certs are very weakly
>>> validated in practise.
>>>
>>
>>
>> What deployment and use has DANE achieved, so far?
>>
>>
> Like all new security technology it's slow going. In the DANE case, we're
> obviously limited by the deployment of DNSSEC itself as well.
>
> Within the XMPP community, which is really the only place I'm able to
> track, https://xmpp.net/stats.php will
>

not, because I'm an idiot who didn't check the URI he typed, but
https://xmpp.net/reports.php will


> give you the live information, but to save you looking, the percentages
> are still pretty low. 83 sites out of 3283, so about 2.5%, support DANE.
> 6.3% deploy DNSSEC signed SRV records. We have, on those servers tested,
> 100% TLS deployment, but only about 49.4% of those use trusted certificates
> (there's a lot of CACert.org which are considered untrusted here).
>
> Given that DANE itself is not yet fully specified for XMPP, and is less
> than two years old, I think this is reasonable traction.
>
> These stats are gathered and maintained by Thijs Alkemade's excellent
> software, by the way, I don't mean to take any credit for this. I just read
> 'em.
>
> Dave.
>