Re: [keyassure] Bare keys again
Douglas Otis <dotis@mail-abuse.org> Thu, 24 March 2011 02:28 UTC
Return-Path: <dotis@mail-abuse.org>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0C7C3A67AB for <keyassure@core3.amsl.com>; Wed, 23 Mar 2011 19:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.521
X-Spam-Level:
X-Spam-Status: No, score=-106.521 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pypSxyppdcPp for <keyassure@core3.amsl.com>; Wed, 23 Mar 2011 19:28:07 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id AF6EB3A67A6 for <keyassure@ietf.org>; Wed, 23 Mar 2011 19:28:07 -0700 (PDT)
Received: from us-dougo-mac.us.trendnet.org (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id CEDDAA9444A for <keyassure@ietf.org>; Thu, 24 Mar 2011 02:30:32 +0000 (UTC)
Message-ID: <4D8AAC8E.8040107@mail-abuse.org>
Date: Wed, 23 Mar 2011 19:29:34 -0700
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: keyassure@ietf.org
References: <92D68A5E-5CB7-4C80-8D7B-0B8D55D93608@kumari.net> <alpine.LFD.1.10.1103201932370.20162@newtla.xelerance.com> <9D285351-8D73-4C15-BE2C-5DF731C08DCE@vpnc.org> <alpine.LFD.1.10.1103202028110.20162@newtla.xelerance.com> <1300669586.2117.12.camel@localhost> <alpine.LFD.1.10.1103202211390.20162@newtla.xelerance.com> <1300739370.2117.40.camel@localhost> <alpine.LFD.1.10.1103211631260.20162@newtla.xelerance.com> <AANLkTimyOXv66UeG2q2dmt1-e_Ek6WPPH-coueFc7fDS@mail.gmail.com> <AANLkTin1QjUbVFN8FqjL2SPRLSRRw4Ahs4zbhy4ZdZuX@mail.gmail.com> <alpine.LFD.1.10.1103211727150.28224@newtla.xelerance.com> <alpine.LFD.1.10.1103230625150.18330@newtla.xelerance.com>
In-Reply-To: <alpine.LFD.1.10.1103230625150.18330@newtla.xelerance.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [keyassure] Bare keys again
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2011 02:28:09 -0000
On 3/23/11 3:30 AM, Paul Wouters wrote: > On Mon, 21 Mar 2011, Paul Wouters wrote: > >>> Trying to use DANE as a means of eliminating X.509 from TLS is a >>> non-starter as far as I am concerned. >> >> That has been loud and clear. However, it does not mean others should >> stop trying to innovate and move forward. > > Especially considering the latest CA compromise where a CA issued a rogue > certificate for addons.mozilla.org. And this is not some el cheapo CA, > but one that is respected and has people very active within the IETF, the > good guys.... > > http://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion > > > This is another clear signal that DANE is needed, and the need for the > X509 storage format is unneccessary. So people can simply take control > of SSL for servers within their own DNS zones. Could this end the practice of stapling Certs to server responses that might be cached for weeks to support ultra-fast browsers? Perfect MitM. Do these browser insist on seeing valid nonce extensions, as this would hurt performance? -Doug
- Re: [keyassure] Issues that no longer issues? Ondřej Surý
- [keyassure] Issues that no longer issues? Warren Kumari
- Re: [keyassure] Issues that no longer issues? Paul Wouters
- [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Stephen Kent
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Phillip Hallam-Baker
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Jeff Schmidt
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Douglas Otis
- Re: [keyassure] Bare keys again Douglas Otis
- Re: [keyassure] Bare keys again Henry Story
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Ben Laurie
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Matt McCutchen