Re: Quic: the elephant in the room
Ben Laurie <benl@google.com> Sun, 11 April 2021 14:38 UTC
Return-Path: <benl@google.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 252013A0E07 for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 07:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQSSs3Nq6dlL for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 07:38:47 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EEEB3A0DB2 for <ietf@ietf.org>; Sun, 11 Apr 2021 07:38:45 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id f4so3390658uad.12 for <ietf@ietf.org>; Sun, 11 Apr 2021 07:38:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=zHtiWabxV8f0iHdaAHZGe+RHoMucyGwVF3JJmeBbEQ8=; b=YzPh4Cx+bdhAchvSjPKu8952ui2KArH1SsYgPVzbvkmOsIbajxMhqJMlvp6wCj6Me9 ajWALIQNumMcxjxdGRtxTNypFeY2NEb+5XnqSJeLwVxnvoAQPAwLxSN+OHz+fQcDcNhK gRe8zZq3UGf3NtX6A+IhWRJ9FqIX5rcOajiafb8m00dk5rWFfykKKz/VAxvrWFw2F+hN xK4InzdyCzWLcqVFtVraBVZbEK5W92/ISKRlPr7eVeArid0ibGix5mdyaN5meYQYIDVP Hou66QbV/C9SeuxhCADnq0XdHAEMhTgVS2COZptK87cJakiJh9I3c6S+TmtnAzeo8+wi URBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=zHtiWabxV8f0iHdaAHZGe+RHoMucyGwVF3JJmeBbEQ8=; b=Z1jRDocCslkhM8lzbBr5Cff5PW1Uc7cao7BsROEqp3y+jQaWVrJ74vkPu7m/MI14xy l3GnrcQTbAIZZ3I2gitQOYWC5m+YXUlktBIxJrYG+d3IJvjAQvcgmyseampNhyx9ZDBh LusY9bby2dMK8312PkuMTzSePQuFnATgJqbNlf6jxAcRdsU/OXf1EdKs2K1oAQyX1kLr haUI+qyarCWvkIrOvMxW8tJFq4c4DHYfTHVrxZg7TlkqhugsFzHSFIhSutTkwicvN+Da fpjyCnwpHERBzX+jRjPuf8CMdsQ6lPc9pxlh4F3e+y5I3EqgFvtNRrNSDSh97SLJSXxu Yfww==
X-Gm-Message-State: AOAM531EyK7exohjb3K0i8+ANTUaatYzNf51Q8WaVKr7NdGagH6Ojoeb iIVFwlpCEQ8m6k6tZVEYMObf5Duyta7E54cIxT5vNFW1ee0=
X-Google-Smtp-Source: ABdhPJzwWCKd/UasVDz1wgFd8ahMeWkNgF/CCa4RMxtHq3X6gsyudK6Y8lU3DgjWeY+s20bR9fOXMvlCJmRqKtOnXik=
X-Received: by 2002:ab0:2248:: with SMTP id z8mr3422167uan.91.1618151923495; Sun, 11 Apr 2021 07:38:43 -0700 (PDT)
MIME-Version: 1.0
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <CABrd9STZXonBDvWB7Z36H2mD20Juubc01TUmEvpfWkvJggQVOQ@mail.gmail.com> <20210410175712.GF9612@localhost> <926C5F27-E011-4809-88DB-DBC9A8976D01@dukhovni.org>
In-Reply-To: <926C5F27-E011-4809-88DB-DBC9A8976D01@dukhovni.org>
From: Ben Laurie <benl@google.com>
Date: Sun, 11 Apr 2021 15:38:32 +0100
Message-ID: <CABrd9SSr9yPcDt-9MFb03kd25Ut7DbG2KihH5ucOHGkk5A1TvA@mail.gmail.com>
Subject: Re: Quic: the elephant in the room
To: IETF Discussion List <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000983dbc05bfb35a88"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/kXGpCrtE5BZPVFFfG0OGRk8LPro>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 14:38:57 -0000
On Sat, 10 Apr 2021 at 19:09, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > On Apr 10, 2021, at 1:57 PM, Nico Williams <nico@cryptonector.com> > wrote: > > > >> When I was designing Certificate Transparency, Chrome ruled out any side > >> channel communications requirement during handshake. Given that DNS is > >> required anyway, perhaps this would be different. However, the other > >> problem is introducing DNS as a trust root - the DNS hierarchy is > >> considerably less secure than CAs were even before CT but now it's > really a > >> very poor option in comparison. > > > > I disagree with that last sentence. > > > > First, having a PKI with hard naming constraints and a single root > > (though with alternatives supported) is considerably better than WebPKI, > > which has neither of those. > > Ben's claim that CAs are "more secure" than DNSSEC is demonstrably > in error in a world where all that CAs do is issue DV certs that > attest to "domain control". > If that were the only consideration, I would agree. However, as I replied a few minutes ago, the security of the operators is also important and it was that I was referring to. > > If you don't trust the ICANN root, you can't trust DV certs, since > all they do is memoise some DNS-derived data you don't trust. Indeed > it takes DNSSEC (and CAs honouring DNSSEC-signed CAA records) to somewhat > improve the rather weak assurance that DV provides. > Incorrect - CT would reveal ICANN's misbehaviour. > > Perhaps CT adequately hardens this model for Google's domains, if > they're sufficiently vigilant to detect unauthorised certificate > issuance (after the fact), but for the rest of us, tracking the > CT logs is not actually practical. > I do agree that we really also need verifiable maps of domain -> certs which would make it easy for anyone to monitor their own domains. However, there are also plenty of services that will do this tracking for you (yes, you do have to trust them to behave themselves).
- Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Stephane Bortzmeyer
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: DNS vs PKI, was Quic: the elephant in the room John Levine
- Re: DNS vs PKI, was Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room Viktor Dukhovni
- DNSSEC architecture vs reality (was: Re: Quic: th… Keith Moore
- Re: DNSSEC architecture vs reality (was: Re: Quic… Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality (was: Re: Quic… Viktor Dukhovni
- Re: Quic: the elephant in the room Andrew McConachie
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality Marco Davids
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Salz, Rich
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John Levine
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Mark Andrews
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Andrew McConachie
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Eliot Lear
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John R Levine
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Jim Fenton
- Re: DNSSEC architecture vs reality Masataka Ohta
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Donald Eastlake
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Viktor Dukhovni
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Vittorio Bertola
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: Fwd: Quic: the Elephant in the Room Michael Thomas
- Fwd: Quic: the Elephant in the Room Lars Eggert
- RE: Fwd: Quic: the Elephant in the Room Vasilenko Eduard
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker