Re: Security for various IETF services
Dave Cridland <dave@cridland.net> Thu, 10 April 2014 21:34 UTC
Return-Path: <dave@cridland.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2648C1A01BA for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 14:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eb30crElXe25 for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 14:34:48 -0700 (PDT)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id ACAA81A0073 for <ietf@ietf.org>; Thu, 10 Apr 2014 14:34:48 -0700 (PDT)
Received: by mail-ob0-f172.google.com with SMTP id wm4so5132230obc.3 for <ietf@ietf.org>; Thu, 10 Apr 2014 14:34:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=grZxw5ma3bXKfgTknJhnZDANyp4kuLyFNo3uW+AeqRo=; b=SZX9jq1DlMjwdOptLydTlA1ECm/o14Qip9NdfTrtWYmSDpoUR6uBDVBCGmOik0G6wZ 720SBfyehpHGgRLMJj6n0uvuBwKgqDw1U1OL07ykyPsOe/gRHcVl6f+7CoDGE6/i8r0E XQrJhC2gQKTZ0QqN8fQlgtVHKDMW2F99wMVvc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=grZxw5ma3bXKfgTknJhnZDANyp4kuLyFNo3uW+AeqRo=; b=UKM6xcqNp1li2KjIOi73Y0scuqlqWCzdvBjbC/hXcz2Vz8NXcmsHUNDJj/O7qzWedA F1RbeEbmiWug/jHT1qqETzxos6p2fMLvz6YXTIX1SN9Wfo0R+qOWNaKZczZvsnrwhJEY xcuRgKT9N7nNy+4YIiJJoEVCDYkdECr0lqJkS3e1Ge/AtyhUWLI/il1L4x6tsmdqS0X5 wSnyh94JWN8Z6GvZY5u9XbpRk+LzjKjVptwCn7ejaajsLqx3CZyvYgyR2/YQ4vNxIU0I yrk6pSIMFjYIAjBdya1bbTXBXfwrUTYySetk9P7dRrbyPAJFoSvrdOS9iMbiGnpnXEux tmRQ==
X-Gm-Message-State: ALoCoQlBdvGeIUX2dg2JfyNCrydNQKLNwzkvMWkTTFVRuepcrgywfOJr2nC0Xyt1YxIdSVdYd2W+
MIME-Version: 1.0
X-Received: by 10.60.157.202 with SMTP id wo10mr4074860oeb.9.1397165687491; Thu, 10 Apr 2014 14:34:47 -0700 (PDT)
Received: by 10.60.93.6 with HTTP; Thu, 10 Apr 2014 14:34:47 -0700 (PDT)
In-Reply-To: <CAKHUCzzS82uk-z120zWqh+B-9i7fdhNX1bJSscXLZkG5wOQb1Q@mail.gmail.com>
References: <20140409154919.11E6118C106@mercury.lcs.mit.edu> <534580AF.4080602@dcrocker.net> <20140409200814.GA15303@thunk.org> <3C46B827-BFFC-4A9E-B600-A1E79C839970@shinkuro.com> <CAKHUCzymXu0TGEYD6dQj9OVhGn2pgE9nPqDG6guV+RS+L8XTow@mail.gmail.com> <534676DB.7090002@dcrocker.net> <CAKHUCzzS82uk-z120zWqh+B-9i7fdhNX1bJSscXLZkG5wOQb1Q@mail.gmail.com>
Date: Thu, 10 Apr 2014 22:34:47 +0100
Message-ID: <CAKHUCzzxu-RQyMMEtXRxmgu6UHy7q9j-DPa2S3mZ9-_Efk9bRQ@mail.gmail.com>
Subject: Re: Security for various IETF services
From: Dave Cridland <dave@cridland.net>
To: Dave Crocker <dcrocker@bbiw.net>
Content-Type: multipart/alternative; boundary="047d7bd6c5e87ee44b04f6b6fccc"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/hHzMWuSaWAwlvC1he7dJCCYZJlI
Cc: "ietf@ietf.org Discussion" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 21:34:53 -0000
On 10 April 2014 16:37, Dave Cridland <dave@cridland.net> wrote: > On 10 April 2014 11:47, Dave Crocker <dhc@dcrocker.net> wrote: > >> On 4/9/2014 3:36 PM, Dave Cridland wrote: >> >>> DNSSEC, and DANE, allow you to provide a "Domain Validated" public key, >>> much like the cheap/free certificates currently available from CAs, but >>> more reliably and simply. I think the same level of trust is there >>> either way, except that the cheap/free CA certs are very weakly >>> validated in practise. >>> >> >> >> What deployment and use has DANE achieved, so far? >> >> > Like all new security technology it's slow going. In the DANE case, we're > obviously limited by the deployment of DNSSEC itself as well. > > Within the XMPP community, which is really the only place I'm able to > track, https://xmpp.net/stats.php will > not, because I'm an idiot who didn't check the URI he typed, but https://xmpp.net/reports.php will > give you the live information, but to save you looking, the percentages > are still pretty low. 83 sites out of 3283, so about 2.5%, support DANE. > 6.3% deploy DNSSEC signed SRV records. We have, on those servers tested, > 100% TLS deployment, but only about 49.4% of those use trusted certificates > (there's a lot of CACert.org which are considered untrusted here). > > Given that DANE itself is not yet fully specified for XMPP, and is less > than two years old, I think this is reasonable traction. > > These stats are gathered and maintained by Thijs Alkemade's excellent > software, by the way, I don't mean to take any credit for this. I just read > 'em. > > Dave. >
- Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Fred Baker (fred)
- RE: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Douglas Otis
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Brian E Carpenter
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Scott Brim
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Martin Rex
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Martin Thomson
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Stewart Bryant (stbryant)
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Hector Santos
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services David Morris
- RE: Security for various IETF services Christian Huitema
- RE: Security for various IETF services l.wood
- Re[2]: Security for various IETF services mohammed serrhini
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Randy Bush
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services S Moonesamy
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Brian Trammell
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Spencer Dawkins
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Ted Lemon
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Matthew Kaufman (SKYPE)
- RE: Security for various IETF services Eric Gray
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services Scott Brim
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Phillip Hallam-Baker
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Noel Chiappa
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Steve Crocker
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Phillip Hallam-Baker
- Web of trust at Internet Scale Sam Hartman
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Mark Andrews
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Jelte Jansen
- Re: Security for various IETF services Stephen Kent