Re: Quic: the elephant in the room
Phillip Hallam-Baker <phill@hallambaker.com> Sun, 11 April 2021 19:11 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25DC73A1A09 for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 12:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Djg8TXVphhlE for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 12:11:29 -0700 (PDT)
Received: from mail-yb1-f174.google.com (mail-yb1-f174.google.com [209.85.219.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7A23A1A07 for <ietf@ietf.org>; Sun, 11 Apr 2021 12:11:29 -0700 (PDT)
Received: by mail-yb1-f174.google.com with SMTP id k73so6309250ybf.3 for <ietf@ietf.org>; Sun, 11 Apr 2021 12:11:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IwXuivy83OJ5z5jr2KD4tsQ9csWZihRAk33SZwUcKCg=; b=J+hFuJUjGJhxP6rG46x3OcDNATurMLaLQUfdlBNZQ2/cr8BYZ5GeLm9bJtz8LbUpV0 T8stB6TCsRc7D8NUCGVOinQZPEICx8xl+E2kbEfnRitBSTgWh8VPbCfmpK+KG4tZRkUB ZlzkXXh6Y/K/caxJgYu5q2F0mbaX1ncyZnfSMY9IVAFA46WKWeCYIlUMqwVxHioowVNq 18XNTMgwR/+fJplnFSHX8maQu/dV+/IGEigHh3BOiGT6EqiQFY2NfExYQJojKt4NRtLx er8zaD5ReEzQTv4FslM04dEZmCoxpXqeEv2nrF107GoW0ArP17e6BwHbol0A8z1qwaD8 QSEg==
X-Gm-Message-State: AOAM531EUFdLt4yfboEgxa5Aa4wZcwocpaRXd0I/AUNGLKrG1C0FWLX/ dudj4tOIavAYzk6g3tYK29hH5V4+Z8nK1DKXOzQ=
X-Google-Smtp-Source: ABdhPJz7AnXCIEv1O9EbByHa3lcePxBio/3r00DZBqSo7rirKoRTNSnzZnA+e4/1LeWPYRdkHa0JOcPtBAaNJe2iavk=
X-Received: by 2002:a5b:585:: with SMTP id l5mr32018785ybp.213.1618168288539; Sun, 11 Apr 2021 12:11:28 -0700 (PDT)
MIME-Version: 1.0
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <506A780B-9C0D-4F4A-B045-098F6152F4DB@akamai.com> <14cd802e-2a1b-97d4-c80d-b57f93e8cc21@mtcc.com>
In-Reply-To: <14cd802e-2a1b-97d4-c80d-b57f93e8cc21@mtcc.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Sun, 11 Apr 2021 15:11:17 -0400
Message-ID: <CAMm+Lwj-O3NMJ+zWbfOViUXE1PBPzOZ6E1iPfZ0uWAj+1Q=_-w@mail.gmail.com>
Subject: Re: Quic: the elephant in the room
To: Michael Thomas <mike@mtcc.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, IETF Discussion Mailing List <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000006786605bfb72aab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/uOxyn5ZA9_y4YYyfkZGJ8SSZSdA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 19:11:34 -0000
I made essentially the same argument to people at Google BEFORE the DANE group was ever proposed. The answer they gave me then has not changed. DANE was chartered over a decade ago. Individuals in that group made clear that no input was going to be accepted from anyone who was a part of the WebPKI world. The tactics used were intentionally exclusionary. Those of us pointing out the limitations of the proposed approach were never given a fair hearing. It is now ten years since DANE was chartered. DANE has failed beyond the very limited application to SMTP which was never really covered. The argument for DANE was weak before LetsEncrypt was launched and it seems highly unlikely future events are going to change that. The TLSA model is simply the wrong model. If you want to change the way discovery is done, you need to think about the full discovery chain. And not least because DOH is another factor in this mix. DANE and DPRIV should have all been a part of one effort that should have included the introduction of SRV records for HTTP. The key weakness in the DNS protocol is that the client-resolver interaction is of an entirely different character to resolver-authoritative and the current client-resolver interaction only supports requests for one record at a time. The kick off meeting for DPRIV was quite interesting. There should be standing IESG instructions to prohibit chartering of any WG that is premised on the need to finish something in a year, so it is essential that it be done in exactly the way the proposers have already decided. Even more so when the results from DPRIV could be easily foreseen from the fact it was the same group that had hijacked DNS security policy with DANE. I don't claim to always do the right thing but there are some folk who seem to keep doing the same thing with the same outcome and for some reason they get priority over folk who have actually built stuff that was successfully deployed and is in use. On Sun, Apr 11, 2021 at 2:14 PM Michael Thomas <mike@mtcc.com> wrote: > > On 4/11/21 10:23 AM, Salz, Rich wrote: > > > - I don't see why [DNS timeouts] it can't be long lived, but even > normal TTL's would get amortized over a lot of connections. Right now with > certs it is a 5 message affair which cannot get better. But that is why one > of $BROWSERVENDORS doing an experiment would be helpful. > > There are use-cases where a five-second DNS TTL is important. And they’re > not amortized over multiple connections from **one** user, but rather > affect **many** users. Imagine an e-commerce site connected to two CDN’s > who needs to switch. > > The worst case is that it devolves into what we already have: 5 messages > assuming NS records are cached normally. > > Another approach using current infrastructure would be for the client to > cache the certs and hand the server cert the fingerprint(s) in the > ClientHello and the server sends down the chosen cert's fingerprint instead > of the cert which could get it back to 3 messages too. That would require > hacking on TLS though (assuming that somebody hasn't already thought of > this). That has the upside is that it's the server chooses whether it wants > to use the cached version or not too. > > Mike > > >
- Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Stephane Bortzmeyer
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: DNS vs PKI, was Quic: the elephant in the room John Levine
- Re: DNS vs PKI, was Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room Viktor Dukhovni
- DNSSEC architecture vs reality (was: Re: Quic: th… Keith Moore
- Re: DNSSEC architecture vs reality (was: Re: Quic… Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality (was: Re: Quic… Viktor Dukhovni
- Re: Quic: the elephant in the room Andrew McConachie
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality Marco Davids
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Salz, Rich
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John Levine
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Mark Andrews
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Andrew McConachie
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Eliot Lear
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John R Levine
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Jim Fenton
- Re: DNSSEC architecture vs reality Masataka Ohta
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Donald Eastlake
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Viktor Dukhovni
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Vittorio Bertola
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: Fwd: Quic: the Elephant in the Room Michael Thomas
- Fwd: Quic: the Elephant in the Room Lars Eggert
- RE: Fwd: Quic: the Elephant in the Room Vasilenko Eduard
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker