Re: Quic: the elephant in the room

Michael Thomas <> Sun, 11 April 2021 22:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B75FA3A2137 for <>; Sun, 11 Apr 2021 15:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O3PYI6nrO17v for <>; Sun, 11 Apr 2021 15:26:36 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 539773A2132 for <>; Sun, 11 Apr 2021 15:26:36 -0700 (PDT)
Received: by with SMTP id r13so1822182pjf.2 for <>; Sun, 11 Apr 2021 15:26:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=gUI7np9MZiZILlndBQ9giGRUA8dUhx9/6lAbl/HBHyE=; b=jY4glWXIvph2fG1GE5QxeDbGmAGr5NfCBzNeBqU1YdSa25DtbIX/DcXRyyQ1ljjw8M hzkpsbLZIoU+1HeV6Fh7LMY4kuQVUuzAMD+5JoXkjArkfQ2KEfISgOIFvobK1BxN8MgV TVnj4MfdqAkJKKTHyBvB0e6uUoVbdzZ+W4cw4Jsc+BllFDqRTPq60NoxD6cCAVQ+Q5wf 2pGTBsC78SzvzAx5jQB0mEBrsiaOYUF+wOPQ5Rkn8Kj76tEmrLqI1AibCra0Bl+AIYCf kS0vVlVyBYdBtGS59OXAtbjpPvfu2bqW3zAqz+5t8G7F+DbApWT2PphC7nLNKCQD5uQj +GUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=gUI7np9MZiZILlndBQ9giGRUA8dUhx9/6lAbl/HBHyE=; b=WI+D+Rr7P6fLuK7xe2e/jOuzv57w3jI43zaKxc7QheUXxQwIoP9M9gvt/qf0O9gcse 1rLvAQUtotGg10gGq8TfUMHXPF9/KPT+fAlk1n24gAdmiPC3apfkzwU3TViv7RkjZXKF y9EVfCcI3g1QPhX26Xozw8bY6xTnNQkDeU6G2SVGJJdnJmB0K9g1xfVm5LzxVMqEymSn z/5EazSCz9ybx89PbnolnnWm3GPicM58dbHv0ryPfMKaO8P+b5dgqm6OdNYNadKxzxpQ wpnKKYXH6gy2LUIb0BwyaVOZs5SNhJW6fFBZ9sn5Hje188ihyFE6iQYygPKhWbAmNJdx O+OA==
X-Gm-Message-State: AOAM530IZeEe9f9+0UImudm9uCa+ge7sqK7p+i2V3ABr9d1HryLuq/iq 5vZH1HLUFgMUvCe+3YGcjR1zkdggaAxC8w==
X-Google-Smtp-Source: ABdhPJwAyWyipPBTsZgEpUbo+iGs9xaNYmLVqZByGk6/PvYOBAX0N2prRHWR4XokPZtcJP6MRQBk9A==
X-Received: by 2002:a17:90b:88f:: with SMTP id bj15mr2942600pjb.147.1618179994199; Sun, 11 Apr 2021 15:26:34 -0700 (PDT)
Received: from mike-mac.lan ( []) by with ESMTPSA id g8sm8030815pfr.106.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Apr 2021 15:26:33 -0700 (PDT)
Subject: Re: Quic: the elephant in the room
To: Phillip Hallam-Baker <>
Cc: "Salz, Rich" <>, IETF Discussion Mailing List <>
References: <> <> <> <> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Sun, 11 Apr 2021 15:26:32 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------96552D99D58AFA6A98A1BB80"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 Apr 2021 22:26:41 -0000

On 4/11/21 2:27 PM, Phillip Hallam-Baker wrote:
> On Sun, Apr 11, 2021 at 4:13 PM Michael Thomas < 
> <>> wrote:
>     On 4/11/21 12:56 PM, Phillip Hallam-Baker wrote:
>>     On Sun, Apr 11, 2021 at 3:34 PM Michael Thomas <
>>     <>> wrote:
>>         e already have a widely adopted example where we ignored the
>>         webpki folks too: DKIM.
>>     That is completely false. I was a member of the DKIM working
>>     group and its predecessors. Two years before the DKIM WG was
>>     started, I designed a DNS based key credentialing scheme together
>>     with a major technology vendor. This was demonstrated to Yahoo by
>>     my CEO, Stratton Sclavos before the date of the Yahoo patent claim.
>     Uh, Jim and I didn't use certificates in the design of IIM and
>     neither did Mark with DK. Since the three of us were the basis of
>     the combined protocol
> I am very surprised that you are unaware of the Sender-ID protocol. 
> Surely Jim mentioned it to you. That was joint work with a third 
> party. We agreed not to put our proposal on the table so as to make it 
> easier for work to proceed.

I don't remember when we became aware of sender-id. i don't know what it 
has to do with anything either.

>     We showed Jon our design before we released it as a sanity check.
>     At no time did he say anything about certificate based approaches.
> Again, you assume that VRSN was only interested in certificates.

It is a big part of their business model.

> DKIM was designed for SMTP and SMTP alone. It is not a model that can 
> be generalized to other protocols and we knew that at the time. It is 
> certainly not a pattern I would want people to repeat as a paragon.

The key fetching mechanism was purposefully made agnostic. We always 
envisioned it as being useful for other key distribution needs.

> IIM was a better approach if you wanted to go for policy. The 
> web-service-discovery draft above is basically taking ideas from IIM 
> and Stuart Cheshire's DNS Service Discovery work.
>>     Given where we are now with all SMTP using STARTTLS, I would
>>     probably look to implement TLS client auth instead which would
>>     allow fast restart to amortize the public key operations. But
>>     thats not where we were then.
>     TLS doesn't do anything to help the end-to-end authentication.
> DKIM provides 'middle to end' authentication, not end to end. Since it 
> is (usually) checked only in the middle, middle to middle might have 
> been as good a choice.

The point remains: DKIM brought something that goes beyond point to 
point to anchor reputation on.