IETF Logo Mail Archive

Re: IAB agendas now public

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 05 September 2018 17:00 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B51A130E70 for <ietf@ietfa.amsl.com>; Wed, 5 Sep 2018 10:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aozH2E9QzdZX for <ietf@ietfa.amsl.com>; Wed, 5 Sep 2018 10:00:28 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5A3130E6E for <ietf@ietf.org>; Wed, 5 Sep 2018 10:00:28 -0700 (PDT)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id E66F27DD59 for <ietf@ietf.org>; Wed, 5 Sep 2018 13:00:26 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Re: IAB agendas now public
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAMm+LwiEhXxW248vJF7=WaEqST=krvPgL22rS=jswa6qcvwb0w@mail.gmail.com>
Date: Wed, 05 Sep 2018 13:00:26 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: "ietf@ietf.org Discussion" <ietf@ietf.org>
Message-Id: <592B7F9F-127D-4F99-AF31-50E1872A83EC@dukhovni.org>
References: <b4afddcc-e8dc-9bd8-03d3-6374c29c4749@iab.org> <m2a7ownhl0.wl-randy@psg.com> <BC35696A-D4A6-47EA-A85C-EB472E42596E@lucidvision.com> <CA+9kkMCGNpFQGwEYZzn3CcOAdz_-GGMCP-N4jX_YuJ8tri0Bxw@mail.gmail.com> <CAMm+LwiEhXxW248vJF7=WaEqST=krvPgL22rS=jswa6qcvwb0w@mail.gmail.com>
To: "ietf@ietf.org Discussion" <ietf@ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/wKpH5i30hz-_juq4R8gdBX6ONoM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Sep 2018 17:00:40 -0000


> On Sep 5, 2018, at 12:30 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> Meanwhile we have had DANE throw in a service description attribute record but only for one transport protocol and only for one trust model and even though it has seen precisely zero adoption in the WebPKI world, it is apparently the only security policy approach we are permitted to consider.

By WebPKI world, I assume you mean web browsers using HTTPS?

DANE *has* seen adoption in SMTP (~314,000 domains presently),
with implementations in multiple MTAs: Postfix, Exim,
MailChannels, Halon, PowerMTA (beta), Cisco ESA (beta), ...

For the Web, the main obstacle is last-mile DNSSEC issues, which
may get easier as DNS over TLS and DNS over HTTP offerings from
Cloudflare and the like eliminate bypass the CPE DNS breakage.
The remaining obstacle is purportedly latency, which may be
addressed with tls-dnssec-chain, if we manage to get adequate
downgrade-protection into the spec.  Finally, DNSSEC adoption
is still light, at ~9.5 million domains, highly concentrated in
Northern Europe, the USA and Brazil.  The actual payload of DANE
TLSA record has not been a real barrier to adoption.  The
PKIX-TA(0) certificate usage is a reasonable candidate for
hardening HTTPS against rogue CAs.

True, DANE is not "service discovery".  If a new service
discovery protocol that subsumed DANE became popular,
and vended both service location and security policy,
that'd be fine.  It is an interesting problem to work on.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email