IETF Logo Mail Archive

Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 03 November 2010 18:55 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B03F228C0F5 for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 11:55:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3yxUhJcQ0sY for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 11:55:33 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) by core3.amsl.com (Postfix) with ESMTP id 1C12E3A67BD for <keyassure@ietf.org>; Wed, 3 Nov 2010 11:55:32 -0700 (PDT)
Received: from saunalahti-vams (vs3-12.mail.saunalahti.fi [62.142.5.96]) by emh01-2.mail.saunalahti.fi (Postfix) with SMTP id 447DA8C2A7; Wed, 3 Nov 2010 20:55:38 +0200 (EET)
Received: from emh02.mail.saunalahti.fi ([62.142.5.108]) by vs3-12.mail.saunalahti.fi ([62.142.5.96]) with SMTP (gateway) id A0677233BC3; Wed, 03 Nov 2010 20:55:38 +0200
Received: from LK-Perkele-V2 (a88-112-50-174.elisa-laajakaista.fi [88.112.50.174]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 655462BD44; Wed, 3 Nov 2010 20:55:32 +0200 (EET)
Date: Wed, 03 Nov 2010 20:55:40 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Phillip Hallam-Baker <hallam@gmail.com>
Message-ID: <20101103185540.GA21187@LK-Perkele-V2.elisa-laajakaista.fi>
References: <1288462840.1977.4.camel@mattlaptop2.local> <69345A7D-4834-40E4-99C2-EDF3FC2DDEB3@Princeton.EDU> <1288469609.1977.178.camel@mattlaptop2.local> <EAC89FC3-184C-449C-AE5B-E3950578ED30@Princeton.EDU> <1288477403.1977.319.camel@mattlaptop2.local> <m3wroz6x81.fsf@jhcloos.com> <B255379A-6B1A-4E0B-AC66-EAD8F4B62040@kumari.net> <alpine.LSU.2.00.1011031546490.18926@hermes-2.csi.cam.ac.uk> <p0624080bc8f73e470aa3@10.20.30.150> <AANLkTinbv03Q6Ht0-3_fkSaW0Hp0-Kimi=WrfrMStBXe@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <AANLkTinbv03Q6Ht0-3_fkSaW0Hp0-Kimi=WrfrMStBXe@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Antivirus: VAMS
Cc: Tony Finch <dot@dotat.at>, keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2010 18:55:34 -0000

On Wed, Nov 03, 2010 at 01:14:11PM -0400, Phillip Hallam-Baker wrote:
> 
> There are certainly issues that arise with prefixes as I mentioned in
> my other post. But they are tractable provided that:
> 
> 1) You are prepared to allow an additional DNS round trip.
> 2) You are prepared to introduce a new DNS RR.

Considering the adoption of CERT RR, CERT RR can almost be treated as
new RR.

And there's a diffrence between having to serialize the query and
firing off the query in parallel with some other qurey one would have
to do anyway.

> We have to keep an eye on efficiency, but anything we do here is going
> to depend on deployment of new DNS support infrastructure and require
> transport that supports new RRs.

Well, there's RFC 3597. But of course, new RRs (even if RFC 3597-compliant)
have issues with adminstration.

> Certificates typically bind to an entire domain.

They may, or they may not. Some services use certificates in bizarre
manner and can't share them with anything.

> Statements concerning configuration of a security policy naturally
> bind to a specific service at a domain.

If you think HSTS is good example of security policy, consider that
HSTS is really a special kind of protcol-level redirect and is only
well-defined because of interactions between HSTS spec and HTTPS
spec.

That's why I think that records specifying secure equivalent of service
must specify where to locate the service and how to connect to it
(there are essentially two ways).

> When we start to look at the consequences of outsourcing, the fact
> that I have outsourced my Web site to outsource.net does not
> necessarily mean I want to trust them with my mail service so maybe
> the assumption that certificates are global to a domain also starts to
> break down.

Actually, HTTP is just about the worst in this regard since it does
not support any kind of protocol-specific redirect from DNS. Yes, it
supports CNAME, but CNAME isn't prtocol-specific.

SMTP has MX records, many protocols have SRV, but HTTP does not have
anything like that.
 
> So I am thinking that we are going to end up with a requirement for
> protocol specific key assurance.

Actually, at key assurance level, port numbers/services only matter
if you can partition port numbers/services (which might not be
possible) or if you have services with different security levels on
one name (to prevent attacking higher-security services using stolen
key from lower-security service).

-Ilari

v2.23.0 | Report a Bug | By Email