Re: https at ietf.org
John C Klensin <john-ietf@jck.com> Tue, 10 December 2013 14:00 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B10F91ADF7D for <ietf@ietfa.amsl.com>; Tue, 10 Dec 2013 06:00:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BEFWB8Hrs4Jf for <ietf@ietfa.amsl.com>; Tue, 10 Dec 2013 06:00:37 -0800 (PST)
Received: from bsa2.jck.com (ns.jck.com [70.88.254.51]) by ietfa.amsl.com (Postfix) with ESMTP id B336F1ADF80 for <ietf@ietf.org>; Tue, 10 Dec 2013 06:00:37 -0800 (PST)
Received: from [198.252.137.115] (helo=JcK-HP8200.jck.com) by bsa2.jck.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1VqNrP-000L5Q-7s; Tue, 10 Dec 2013 09:00:27 -0500
Date: Tue, 10 Dec 2013 09:00:22 -0500
From: John C Klensin <john-ietf@jck.com>
To: Phillip Hallam-Baker <hallam@gmail.com>, Mark Andrews <marka@isc.org>
Subject: Re: https at ietf.org
Message-ID: <E4EC4C3190EA749BAE7898DF@JcK-HP8200.jck.com>
In-Reply-To: <CAMm+LwhyXaOP8k8tZ6-cPrmmyXXjfgO=Jr5Jyf4S+WAZus1CWQ@mail.gmail.com>
References: <20131125180608.55454.qmail@joyce.lan> <E5836934-317D-4E73-80CC-B8847047852A@virtualized.org> <CAMm+LwhXb6uYJLie1FmJE34aC0EO39_t7331X1O0iD=-gmSEvw@mail.gmail.com> <38B94CB1-C62A-4BAC-85D4-B08FB7315CE9@virtualized.org> <CAMm+LwhF5-nEdM0Rjh1XtK1X=_xo6GkqPnZgfGaCEJ19g8ULrg@mail.gmail.com> <52A176E0.1050708@dougbarton.us> <CAMm+LwiH=1446tXZLKxUyz+jpMHy573aAd5zg1_+Z4kEbVc33A@mail.gmail.com> <52A52972.3020601@dougbarton.us> <CAMm+LwiHwKkK1C7K+DG-LTBS=Edsn=AjH5hCe+9LOukVZbPjmQ@mail.gmail.com> <52A64A1A.2020000@dougbarton.us> <CAMm+LwgptxAAmCxqP9g8-+EOjwapwb2PJjVvvSe=N6A79WZqXA@mail.gmail.com> <20131210005259.169F9B6E2F1@rock.dv.isc.org> <CAMm+LwhyXaOP8k8tZ6-cPrmmyXXjfgO=Jr5Jyf4S+WAZus1CWQ@mail.gmail.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2013 14:00:39 -0000
--On Monday, December 09, 2013 22:39 -0500 Phillip Hallam-Baker <hallam@gmail.com> wrote: >... >> For a similar reason removal of TLD's can't happen as people >> can still graft on namespace and establish TA's for the >> grafted on namespace. > > > It is trivial to fix when the validation is taking place in a > service in the cloud (aka a resolver). > > Rather less easy to do if people drink the DANE cool-aid and > do the job at the end point. > > Now you can take this point as either arguing against doing > DANE or considering the risk and deploying the appropriate > control. But you do have to consider it. > > > What you are in effect asserting is that the resolver > providers are the apex of the trust chain and so there is a > diffuse trust surface rather than a sharp point. Which is true > when the validation takes place in the resolver. I am probably going to regret getting involved in this thread, but I would draw two rather different conclusions from the above and a number of other comments: (1) We have seriously oversold DNSSEC as a data quality and reliability mechanism when it is merely a transmission integrity mechanism. The former is about the DNS and associated registration database (e.g., "whois") records being accurate, secure, and maybe even information-containing. The latter is merely about an assurance that the data one receives hasn't been altered in transit in the DNS. Now most of the people who have been involved in the design and implementation of DNSSEC have been quite careful about the above, at least most of the time. But sometimes they are sloppy about their language, sometimes they say "DNNSEC" and people hear "DNS Security" and make inferences to data quality. More important, there is an (illogical) chain of reasoning from "DNSSEC is in use" to "[now] the DNS is secure" to "all of the data provided by the DNS or its supplemental databases are of high quality". While the integrity checks of DNSSEC provide some protection against some types of attacks on the "data quality" part of the DNS environment, the attacks they protect against are very difficult. An attacker with the resources to apply them would almost certainly find it easier, less resource-expensive, and harder to detect to attack registry databases (before data are entered into DNS zones and signed), registrar practices, or post-validation servers. Non-technical attacks, such as the oft-cited hypothetical NSL, are easily applied at those points as well -- much more easily than tampering with keys or signatures. (2) In a different version of some of the comments on the thread, the "where to validate" question is important. If one tries to validate at the endpoints, endpoint systems, including embedded ones, should have the code and resources needed to validate certs and handle rollovers, even under hostile conditions, and that isn't easy. If one relies on intermediate, especially third-party, servers to validate, than much of the expected integrity protection is gone... and the number of times such servers have been compromised would make this a non-theoretical problem even without concerns about governmental-type attacks (NSL and otherwise) on those servers. No easy solutions here. I don't know where that combination of situations leaves initiatives like DANE, but I suspect we should be looking at trust conditions and relationships a lot more carefully than the discussions and claims I've seen suggest we have been doing. john
- Re: https at ietf.org Eric Burger
- https at ietf.org Tim Bray
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org David Morris
- Re: https at ietf.org Paul Wouters
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Dean Willis
- Re: https at ietf.org Tim Bray
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org Hector Santos
- Re: https at ietf.org Marco Davids (Prive)
- Re: https at ietf.org Hector Santos
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Yoav Nir
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org Eric Burger
- Re: https at ietf.org Dave Cridland
- Re: https at ietf.org Thiago Marinello
- Re: https at ietf.org Bjoern Hoehrmann
- Re: https at ietf.org John C Klensin
- Re: https at ietf.org John C Klensin
- Re: https at ietf.org Ted Lemon
- authentication without https (was Re: https at ie… Dave Crocker
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org ned+ietf
- Re: authentication without https (was Re: https a… Ted Lemon
- Re: https at ietf.org MAISONNEUVE, JULIEN (JULIEN)
- Re: https at ietf.org Eric Burger
- Re: https at ietf.org Marco Davids (Prive)
- Re: https at ietf.org Yoav Nir
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Carsten Bormann
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Carsten Bormann
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org t.p.
- Re: https at ietf.org Dave Cridland
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Arturo Servin
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Noel Chiappa
- Re: https at ietf.org Dave Cridland
- Re: https at ietf.org Chris Inacio
- Re: https at ietf.org Noel Chiappa
- Re: https at ietf.org Tim Bray
- Re: https at ietf.org Tim Bray
- Re: https at ietf.org Yoav Nir
- Re: https at ietf.org t.p.
- Re: https at ietf.org Noel Chiappa
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Chris Inacio
- Re: https at ietf.org Martin Rex
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org ned+ietf
- Re: https at ietf.org Martin Rex
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Måns Nilsson
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Douglas Otis
- Re: https at ietf.org Pranesh Prakash
- Re: https at ietf.org Pranesh Prakash
- Re: https at ietf.org Martin Rex
- Re: https at ietf.org Dave Cridland
- Re: https at ietf.org John R Levine
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Eric Burger
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org Joe Abley
- Coercion S Moonesamy
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Ted Lemon
- Re: https at ietf.org John Levine
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Michael Richardson
- Reconstruct the key S Moonesamy
- Re: https at ietf.org Randy Bush
- Re: https at ietf.org Randy Bush
- Re: https at ietf.org Joe Abley
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Sean Turner
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Doug Barton
- Re: https at ietf.org Doug Barton
- Re: [IETF] https at ietf.org Warren Kumari
- Re: [IETF] https at ietf.org Michael Richardson
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org David Conrad
- Re: https at ietf.org Doug Barton
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org Doug Barton
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org Mark Andrews
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org John C Klensin
- Re: https at ietf.org Doug Barton
- Re: https at ietf.org Phillip Hallam-Baker
- Re: https at ietf.org Douglas Otis