Re: https at ietf.org
Phillip Hallam-Baker <hallam@gmail.com> Sun, 08 December 2013 18:21 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FEA1AE04A for <ietf@ietfa.amsl.com>; Sun, 8 Dec 2013 10:21:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqwmP8OAz6PJ for <ietf@ietfa.amsl.com>; Sun, 8 Dec 2013 10:21:25 -0800 (PST)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) by ietfa.amsl.com (Postfix) with ESMTP id C62651ADFB4 for <ietf@ietf.org>; Sun, 8 Dec 2013 10:21:24 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id z2so2846219wiv.13 for <ietf@ietf.org>; Sun, 08 Dec 2013 10:21:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=L9jDMSuLA1Zlu20HWvvZAdHTNIwM05SbKdTCwUQiUw4=; b=oUNsJrci13pXmBFRCLlA0M4tbVcLRifrrfARlPIOGthZoLvGC+Uq/9dm/CKruG8AQC ZVhKyMaX4zCq8guU48OkVXRHWERiJpgfZtfNmGCHWMHgA8aAipdG3XnsqvhbYzEjpJNb z2/4KnRhJ5HoxspX3QkFFv78arM6Y4r9F9vx6aUtg52lRq8raaw4gi3Dp7Dx1EK6VVEo etqipCetNOaTwfKpzJ4oXJWqemVL8NLPF3Lxwi+Tu3CafEb5t35IQ62TQaO5z1G0Tt/z 5yiTmaH1jsr9thbNv5CToYJF4Zq8WrM8FGA5l7obVH69OPx1oFc8U3OCa/LWUplxksX6 /I4Q==
MIME-Version: 1.0
X-Received: by 10.180.13.74 with SMTP id f10mr10776032wic.34.1386526879800; Sun, 08 Dec 2013 10:21:19 -0800 (PST)
Received: by 10.194.243.136 with HTTP; Sun, 8 Dec 2013 10:21:19 -0800 (PST)
In-Reply-To: <52A176E0.1050708@dougbarton.us>
References: <20131125180608.55454.qmail@joyce.lan> <E5836934-317D-4E73-80CC-B8847047852A@virtualized.org> <CAMm+LwhXb6uYJLie1FmJE34aC0EO39_t7331X1O0iD=-gmSEvw@mail.gmail.com> <38B94CB1-C62A-4BAC-85D4-B08FB7315CE9@virtualized.org> <CAMm+LwhF5-nEdM0Rjh1XtK1X=_xo6GkqPnZgfGaCEJ19g8ULrg@mail.gmail.com> <52A176E0.1050708@dougbarton.us>
Date: Sun, 08 Dec 2013 13:21:19 -0500
Message-ID: <CAMm+LwiH=1446tXZLKxUyz+jpMHy573aAd5zg1_+Z4kEbVc33A@mail.gmail.com>
Subject: Re: https at ietf.org
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Doug Barton <dougb@dougbarton.us>
Content-Type: multipart/alternative; boundary="001a11c24a942463f504ed09f2fc"
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2013 18:21:28 -0000
On Fri, Dec 6, 2013 at 2:04 AM, Doug Barton <dougb@dougbarton.us> wrote: > On 12/02/2013 01:02 PM, Phillip Hallam-Baker wrote: > >> These processes were in use in commercial PKI before the first DNSSEC >> draft was written over twenty years ago. >> > > Yes, ICANN took advantage of a large existing knowledge base to create a > method of securing the root KSK. It would have been foolish to do otherwise. David asserted that the processes used by ICANN provided greater security than those for PKIX PKI, I was pointing out that the claim made is false. > What you do not appear to grasp is that the processes for online roots >> are necessarily different as these have to be used at regular intervals. >> > > David is far too polite a person to say so, but frankly I find your > condescension offensive. To the extent that you have useful things to > contribute to the discussion it would be great if you could do so without > being rude. If for no other reason than the gratuitous rudeness obstructs > whatever valid points you may have. When someone repeats FUD after having the issue explained to them repeatedly I tend to start speaking plainly. And I am far too polite to point out that the manner of your response is hypocritical. > > While it might be practical to sign the DNS root zone offline, it >> certainly is not practical to sign .com or any other TLD of consequence >> offline (except possibly .gov). >> > > Rather than continuing to discuss theory, what would be useful at this > point would be for you to do what has been asked several times now. As I pointed out, what I was objecting to was yet another iteration of someone asserting that the DNSSEC PKI is different from the CA system in a way that it is not actually different. So I don't have to fix DNSSEC, all I need to fix here is to have David and others stop making claims for the protocol that are not supported by evidence. The problem of securing an online system is intrinsic to the problem of running PKI at scale. > Describe, in detail, what your threat vector is. Include in your > description the method by which the root, or any other trust anchor would > be compromised, and how that compromise would affect end users _given how > DNSSEC works today_. Otherwise, please stop shouting "the sky is falling." Please stop making unfair comparisons. Comparing the offline security management of DNSSEC to the performance of the online CA system is not a fair comparison. The offline components of the two systems are essentially identical. -- Website: http://hallambaker.com/
- Re: https at ietf.org Eric Burger
- https at ietf.org Tim Bray
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org David Morris
- Re: https at ietf.org Paul Wouters
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Dean Willis
- Re: https at ietf.org Tim Bray
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org Hector Santos
- Re: https at ietf.org Marco Davids (Prive)
- Re: https at ietf.org Hector Santos
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Yoav Nir
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org Eric Burger
- Re: https at ietf.org Dave Cridland
- Re: https at ietf.org Thiago Marinello
- Re: https at ietf.org Bjoern Hoehrmann
- Re: https at ietf.org John C Klensin
- Re: https at ietf.org John C Klensin
- Re: https at ietf.org Ted Lemon
- authentication without https (was Re: https at ie… Dave Crocker
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org ned+ietf
- Re: authentication without https (was Re: https a… Ted Lemon
- Re: https at ietf.org MAISONNEUVE, JULIEN (JULIEN)
- Re: https at ietf.org Eric Burger
- Re: https at ietf.org Marco Davids (Prive)
- Re: https at ietf.org Yoav Nir
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Carsten Bormann
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Carsten Bormann
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org t.p.
- Re: https at ietf.org Dave Cridland
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Arturo Servin
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Noel Chiappa
- Re: https at ietf.org Dave Cridland
- Re: https at ietf.org Chris Inacio
- Re: https at ietf.org Noel Chiappa
- Re: https at ietf.org Tim Bray
- Re: https at ietf.org Tim Bray
- Re: https at ietf.org Yoav Nir
- Re: https at ietf.org t.p.
- Re: https at ietf.org Noel Chiappa
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Chris Inacio
- Re: https at ietf.org Martin Rex
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Martin Rex
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Douglas Otis
- Re: https at ietf.org Pranesh Prakash
- Re: https at ietf.org Pranesh Prakash
- Re: https at ietf.org Martin Rex
- Re: https at ietf.org Dave Cridland
- Re: https at ietf.org John R Levine
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Eric Burger
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Joe Abley
- Coercion S Moonesamy
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org John Levine
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Michael Richardson
- Reconstruct the key S Moonesamy
- Re: https at ietf.org Randy Bush
- Re: https at ietf.org Randy Bush
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Sean Turner
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Doug Barton
- Re: https at ietf.org Doug Barton
- Re: [IETF] https at ietf.org Warren Kumari
- Re: [IETF] https at ietf.org Michael Richardson
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Doug Barton
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org Doug Barton
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org Mark Andrews
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org John C Klensin
- Re: https at ietf.org Doug Barton
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org Douglas Otis