Re: Quic: the elephant in the room

Michael Thomas <mike@mtcc.com> Sun, 11 April 2021 22:26 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75FA3A2137 for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 15:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3PYI6nrO17v for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 15:26:36 -0700 (PDT)
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 539773A2132 for <ietf@ietf.org>; Sun, 11 Apr 2021 15:26:36 -0700 (PDT)
Received: by mail-pj1-x102d.google.com with SMTP id r13so1822182pjf.2 for <ietf@ietf.org>; Sun, 11 Apr 2021 15:26:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=gUI7np9MZiZILlndBQ9giGRUA8dUhx9/6lAbl/HBHyE=; b=jY4glWXIvph2fG1GE5QxeDbGmAGr5NfCBzNeBqU1YdSa25DtbIX/DcXRyyQ1ljjw8M hzkpsbLZIoU+1HeV6Fh7LMY4kuQVUuzAMD+5JoXkjArkfQ2KEfISgOIFvobK1BxN8MgV TVnj4MfdqAkJKKTHyBvB0e6uUoVbdzZ+W4cw4Jsc+BllFDqRTPq60NoxD6cCAVQ+Q5wf 2pGTBsC78SzvzAx5jQB0mEBrsiaOYUF+wOPQ5Rkn8Kj76tEmrLqI1AibCra0Bl+AIYCf kS0vVlVyBYdBtGS59OXAtbjpPvfu2bqW3zAqz+5t8G7F+DbApWT2PphC7nLNKCQD5uQj +GUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=gUI7np9MZiZILlndBQ9giGRUA8dUhx9/6lAbl/HBHyE=; b=WI+D+Rr7P6fLuK7xe2e/jOuzv57w3jI43zaKxc7QheUXxQwIoP9M9gvt/qf0O9gcse 1rLvAQUtotGg10gGq8TfUMHXPF9/KPT+fAlk1n24gAdmiPC3apfkzwU3TViv7RkjZXKF y9EVfCcI3g1QPhX26Xozw8bY6xTnNQkDeU6G2SVGJJdnJmB0K9g1xfVm5LzxVMqEymSn z/5EazSCz9ybx89PbnolnnWm3GPicM58dbHv0ryPfMKaO8P+b5dgqm6OdNYNadKxzxpQ wpnKKYXH6gy2LUIb0BwyaVOZs5SNhJW6fFBZ9sn5Hje188ihyFE6iQYygPKhWbAmNJdx O+OA==
X-Gm-Message-State: AOAM530IZeEe9f9+0UImudm9uCa+ge7sqK7p+i2V3ABr9d1HryLuq/iq 5vZH1HLUFgMUvCe+3YGcjR1zkdggaAxC8w==
X-Google-Smtp-Source: ABdhPJwAyWyipPBTsZgEpUbo+iGs9xaNYmLVqZByGk6/PvYOBAX0N2prRHWR4XokPZtcJP6MRQBk9A==
X-Received: by 2002:a17:90b:88f:: with SMTP id bj15mr2942600pjb.147.1618179994199; Sun, 11 Apr 2021 15:26:34 -0700 (PDT)
Received: from mike-mac.lan (107-182-38-56.volcanocom.com. [107.182.38.56]) by smtp.gmail.com with ESMTPSA id g8sm8030815pfr.106.2021.04.11.15.26.33 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Apr 2021 15:26:33 -0700 (PDT)
Subject: Re: Quic: the elephant in the room
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, IETF Discussion Mailing List <ietf@ietf.org>
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <506A780B-9C0D-4F4A-B045-098F6152F4DB@akamai.com> <14cd802e-2a1b-97d4-c80d-b57f93e8cc21@mtcc.com> <CAMm+Lwj-O3NMJ+zWbfOViUXE1PBPzOZ6E1iPfZ0uWAj+1Q=_-w@mail.gmail.com> <ade4b396-507b-c969-ff32-2b3291fc14fc@mtcc.com> <CAMm+Lwh6ZaR2aQ_j15q9FwdYHojuFxG_GscRQjGXdD_t4z_fqA@mail.gmail.com> <ffd180f0-0359-9a84-9889-de395df3127a@mtcc.com> <CAMm+LwgnY70pDxVf43Yfi27n-Hf8swhP0zF3K4=ErpgQa7SeuA@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <1a8cf0ab-c656-a0d2-e430-3a4ad35353bb@mtcc.com>
Date: Sun, 11 Apr 2021 15:26:32 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwgnY70pDxVf43Yfi27n-Hf8swhP0zF3K4=ErpgQa7SeuA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------96552D99D58AFA6A98A1BB80"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/mvJazFLiqmREhzX6n-4ZnH4KRQk>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 22:26:41 -0000

On 4/11/21 2:27 PM, Phillip Hallam-Baker wrote:
> On Sun, Apr 11, 2021 at 4:13 PM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>     On 4/11/21 12:56 PM, Phillip Hallam-Baker wrote:
>
>>     On Sun, Apr 11, 2021 at 3:34 PM Michael Thomas <mike@mtcc.com
>>     <mailto:mike@mtcc.com>> wrote:
>>
>>         e already have a widely adopted example where we ignored the
>>         webpki folks too: DKIM.
>>
>>     That is completely false. I was a member of the DKIM working
>>     group and its predecessors. Two years before the DKIM WG was
>>     started, I designed a DNS based key credentialing scheme together
>>     with a major technology vendor. This was demonstrated to Yahoo by
>>     my CEO, Stratton Sclavos before the date of the Yahoo patent claim.
>
>     Uh, Jim and I didn't use certificates in the design of IIM and
>     neither did Mark with DK. Since the three of us were the basis of
>     the combined protocol
>
> I am very surprised that you are unaware of the Sender-ID protocol. 
> Surely Jim mentioned it to you. That was joint work with a third 
> party. We agreed not to put our proposal on the table so as to make it 
> easier for work to proceed.

I don't remember when we became aware of sender-id. i don't know what it 
has to do with anything either.


>     We showed Jon our design before we released it as a sanity check.
>     At no time did he say anything about certificate based approaches.
>
> Again, you assume that VRSN was only interested in certificates.

It is a big part of their business model.


>
> DKIM was designed for SMTP and SMTP alone. It is not a model that can 
> be generalized to other protocols and we knew that at the time. It is 
> certainly not a pattern I would want people to repeat as a paragon.

The key fetching mechanism was purposefully made agnostic. We always 
envisioned it as being useful for other key distribution needs.


>
> IIM was a better approach if you wanted to go for policy. The 
> web-service-discovery draft above is basically taking ideas from IIM 
> and Stuart Cheshire's DNS Service Discovery work.
>
>
>>     Given where we are now with all SMTP using STARTTLS, I would
>>     probably look to implement TLS client auth instead which would
>>     allow fast restart to amortize the public key operations. But
>>     thats not where we were then.
>
>     TLS doesn't do anything to help the end-to-end authentication.
>
> DKIM provides 'middle to end' authentication, not end to end. Since it 
> is (usually) checked only in the middle, middle to middle might have 
> been as good a choice.

The point remains: DKIM brought something that goes beyond point to 
point to anchor reputation on.

Mike