IETF Logo Mail Archive

Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns

Phillip Hallam-Baker <hallam@gmail.com> Wed, 03 November 2010 17:14 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 402FC28C120 for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 10:14:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rtnEYGWg7uh7 for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 10:14:05 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id BED6228C123 for <keyassure@ietf.org>; Wed, 3 Nov 2010 10:14:04 -0700 (PDT)
Received: by yxp4 with SMTP id 4so674974yxp.31 for <keyassure@ietf.org>; Wed, 03 Nov 2010 10:14:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=QglttzEinNdp6XP8js5nIX69r5U5hmqBGNhFamNl47o=; b=mWArXKjr4u28cvFTMHw8ij9D9Ye2utAaJFpvtBdy5vqhH6bVmC5n2Hq/bZgSVqKkU4 sf0IT5eCIuLCpc8geWwMTI9EBzqn6le6FiCdrBmNLBsW+SzR0qG0JQxVsOBLXRW/Z6v9 fwGniDhvpWkP8rpfju3/IpKCZC/dTpPVq7Ehg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=WVyxIkgzj6tEMgAlPHT2NuAsde4lQiz6I83FWUPEZD+9JAY/ZuHWbt3PCoqJZFhQqy vbNa0IQtPnvskKsC7ou1YGjAVJPSou5DWRFHWecv/QQwQz2L1SweJr+X+1d15Aqdil7n YXD9SI9qtHHi9n/eAjJBrIcP0Bk6+wkBrtvGY=
MIME-Version: 1.0
Received: by 10.100.135.14 with SMTP id i14mr2224760and.202.1288804451552; Wed, 03 Nov 2010 10:14:11 -0700 (PDT)
Received: by 10.100.41.14 with HTTP; Wed, 3 Nov 2010 10:14:11 -0700 (PDT)
In-Reply-To: <p0624080bc8f73e470aa3@10.20.30.150>
References: <286A23F7-0E2F-4F5E-906C-315DD9B325DA@princeton.edu> <p0624084ec8ef630fbae1@10.20.30.151> <4CC9E7AB.1030501@cs.tcd.ie> <p0624086dc8ef9feba340@10.20.30.151> <B6CEBA10-0198-4AB3-B6D4-E7D835FD47F1@princeton.edu> <AANLkTin-CqduBX5ibUCb0+1Lr-GXJ-KGd8YxzjUTPEO7@mail.gmail.com> <CA58B286-8F9D-423D-B9BF-91347F6FD960@Princeton.EDU> <1288462840.1977.4.camel@mattlaptop2.local> <69345A7D-4834-40E4-99C2-EDF3FC2DDEB3@Princeton.EDU> <1288469609.1977.178.camel@mattlaptop2.local> <EAC89FC3-184C-449C-AE5B-E3950578ED30@Princeton.EDU> <1288477403.1977.319.camel@mattlaptop2.local> <m3wroz6x81.fsf@jhcloos.com> <B255379A-6B1A-4E0B-AC66-EAD8F4B62040@kumari.net> <alpine.LSU.2.00.1011031546490.18926@hermes-2.csi.cam.ac.uk> <p0624080bc8f73e470aa3@10.20.30.150>
Date: Wed, 03 Nov 2010 13:14:11 -0400
Message-ID: <AANLkTinbv03Q6Ht0-3_fkSaW0Hp0-Kimi=WrfrMStBXe@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Tony Finch <dot@dotat.at>, keyassure@ietf.org
Subject: Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2010 17:14:06 -0000

+1 on the RFC 5507

This was actually a major change that was made to the document.
Originally there was a blanket proscription on prefixes that some of
us spent a lot of time and effort to get changed.

There are certainly issues that arise with prefixes as I mentioned in
my other post. But they are tractable provided that:

1) You are prepared to allow an additional DNS round trip.
2) You are prepared to introduce a new DNS RR.

We have to keep an eye on efficiency, but anything we do here is going
to depend on deployment of new DNS support infrastructure and require
transport that supports new RRs.


I think that we should first decide on all the features we might want
and then look at how we implement.

Certificates typically bind to an entire domain.

Statements concerning configuration of a security policy naturally
bind to a specific service at a domain.


I may use the same certificate for my mail and web servers. But I
almost certainly have not configured them identically.

When we start to look at the consequences of outsourcing, the fact
that I have outsourced my Web site to outsource.net does not
necessarily mean I want to trust them with my mail service so maybe
the assumption that certificates are global to a domain also starts to
break down.

So I am thinking that we are going to end up with a requirement for
protocol specific key assurance.


On Wed, Nov 3, 2010 at 12:36 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> At 4:03 PM +0000 11/3/10, Tony Finch wrote:
>>On Sat, 30 Oct 2010, Warren Kumari wrote:
>>>
>>> I (no hats) was against the _selector_ idea as I feel that all records
>>> related to a thingie (technical term) should exist at the same level
>>> [...], but this is an elegance viewpoint and enough folk have pointed
>>> out that this is a needed feature that I'm open to it as an idea....
>>>
>>> Another option (which has some (IMO) of the elegance retained, but
>>> probably has scalability and leakage issues) is [...] basically, have
>>> the records for foo.example.com (or just exmaple.com) all at the same
>>> level, but have the ports included in the response.
>>
>>I think both of these are argued against by section 3.1 of RFC 5507.
>>
>>That RFC also argues against a _prefix approach, but it also fails to
>>provide any solution for RRs that can apply to any service and which need
>>to be selected per service.
>
> I read that section (and lots of other sections of 5507) as saying "don't assume one solution fits all". But I also note that the section 3.1 talks about the problems of "a large number of services for a single domain name" causing fallback to TCP. In the case of KIDNS, the solution is simple: don't allow a large number of services to be accessed by that domain name just because they are all running on the same box. That is, if the use of subtyping causes a TCP-fallback problem for the nameserver of a particular domain name, the solution is in the hands of the affected parties: use subdomains (which they probably are already doing anyhow...).
>
>>Another argument against putting all the records at the same domain name
>>is that it couples the policies for the services together. For instance, I
>>would want to be able to put certs or fingerprints in the DNS for my
>>secure services without forcing my colleagues to upgrade their services to
>>secure-only. (It's reasonable not to prioritize the deployment of
>>encryption for anonyous services.)
>
> First off, the proposal for "say which services require TLS" is not part of KIDNS, despite what it might seem from reading some of the list traffic. When that protocol is specified, it does not (and I think should not) be linked to the KIDNS key association.
>
> --Paul Hoffman, Director
> --VPN Consortium
> _______________________________________________
> keyassure mailing list
> keyassure@ietf.org
> https://www.ietf.org/mailman/listinfo/keyassure
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email