IETF Logo Mail Archive

Re: https at ietf.org

Phillip Hallam-Baker <hallam@gmail.com> Sun, 08 December 2013 18:21 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FEA1AE04A for <ietf@ietfa.amsl.com>; Sun, 8 Dec 2013 10:21:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqwmP8OAz6PJ for <ietf@ietfa.amsl.com>; Sun, 8 Dec 2013 10:21:25 -0800 (PST)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) by ietfa.amsl.com (Postfix) with ESMTP id C62651ADFB4 for <ietf@ietf.org>; Sun, 8 Dec 2013 10:21:24 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id z2so2846219wiv.13 for <ietf@ietf.org>; Sun, 08 Dec 2013 10:21:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=L9jDMSuLA1Zlu20HWvvZAdHTNIwM05SbKdTCwUQiUw4=; b=oUNsJrci13pXmBFRCLlA0M4tbVcLRifrrfARlPIOGthZoLvGC+Uq/9dm/CKruG8AQC ZVhKyMaX4zCq8guU48OkVXRHWERiJpgfZtfNmGCHWMHgA8aAipdG3XnsqvhbYzEjpJNb z2/4KnRhJ5HoxspX3QkFFv78arM6Y4r9F9vx6aUtg52lRq8raaw4gi3Dp7Dx1EK6VVEo etqipCetNOaTwfKpzJ4oXJWqemVL8NLPF3Lxwi+Tu3CafEb5t35IQ62TQaO5z1G0Tt/z 5yiTmaH1jsr9thbNv5CToYJF4Zq8WrM8FGA5l7obVH69OPx1oFc8U3OCa/LWUplxksX6 /I4Q==
MIME-Version: 1.0
X-Received: by 10.180.13.74 with SMTP id f10mr10776032wic.34.1386526879800; Sun, 08 Dec 2013 10:21:19 -0800 (PST)
Received: by 10.194.243.136 with HTTP; Sun, 8 Dec 2013 10:21:19 -0800 (PST)
In-Reply-To: <52A176E0.1050708@dougbarton.us>
References: <20131125180608.55454.qmail@joyce.lan> <E5836934-317D-4E73-80CC-B8847047852A@virtualized.org> <CAMm+LwhXb6uYJLie1FmJE34aC0EO39_t7331X1O0iD=-gmSEvw@mail.gmail.com> <38B94CB1-C62A-4BAC-85D4-B08FB7315CE9@virtualized.org> <CAMm+LwhF5-nEdM0Rjh1XtK1X=_xo6GkqPnZgfGaCEJ19g8ULrg@mail.gmail.com> <52A176E0.1050708@dougbarton.us>
Date: Sun, 08 Dec 2013 13:21:19 -0500
Message-ID: <CAMm+LwiH=1446tXZLKxUyz+jpMHy573aAd5zg1_+Z4kEbVc33A@mail.gmail.com>
Subject: Re: https at ietf.org
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Doug Barton <dougb@dougbarton.us>
Content-Type: multipart/alternative; boundary="001a11c24a942463f504ed09f2fc"
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2013 18:21:28 -0000

On Fri, Dec 6, 2013 at 2:04 AM, Doug Barton <dougb@dougbarton.us> wrote:

> On 12/02/2013 01:02 PM, Phillip Hallam-Baker wrote:
>
>> These processes were in use in commercial PKI before the first DNSSEC
>> draft was written over twenty years ago.
>>
>
> Yes, ICANN took advantage of a large existing knowledge base to create a
> method of securing the root KSK. It would have been foolish to do otherwise.


David asserted that the processes used by ICANN provided greater security
than those for PKIX PKI, I was pointing out that the claim made is false.




>  What you do not appear to grasp is that the processes for online roots
>> are necessarily different as these have to be used at regular intervals.
>>
>
> David is far too polite a person to say so, but frankly I find your
> condescension offensive. To the extent that you have useful things to
> contribute to the discussion it would be great if you could do so without
> being rude. If for no other reason than the gratuitous rudeness obstructs
> whatever valid points you may have.


When someone repeats FUD after having the issue explained to them
repeatedly I tend to start speaking plainly.

And I am far too polite to point out that the manner of your response is
hypocritical.



>
>  While it might be practical to sign the DNS root zone offline, it
>> certainly is not practical to sign .com or any other TLD of consequence
>> offline (except possibly .gov).
>>
>
> Rather than continuing to discuss theory, what would be useful at this
> point would be for you to do what has been asked several times now.


As I pointed out, what I was objecting to was yet another iteration of
someone asserting that the DNSSEC PKI is different from the CA system in a
way that it is not actually different.

So I don't have to fix DNSSEC, all I need to fix here is to have David and
others stop making claims for the protocol that are not supported by
evidence.


The problem of securing an online system is intrinsic to the problem of
running PKI at scale.




> Describe, in detail, what your threat vector is. Include in your
> description the method by which the root, or any other trust anchor would
> be compromised, and how that compromise would affect end users _given how
> DNSSEC works today_. Otherwise, please stop shouting "the sky is falling."


Please stop making unfair comparisons. Comparing the offline security
management of DNSSEC to the performance of the online CA system is not a
fair comparison. The offline components of the two systems are essentially
identical.


-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email