Re: [keyassure] Objective: Restrictive versus Supplementary Models
James Cloos <cloos@jhcloos.com> Wed, 30 March 2011 15:59 UTC
Return-Path: <cloos@jhcloos.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 641203A6932 for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 08:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[AWL=0.720, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2bfKVnx86B4 for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 08:59:19 -0700 (PDT)
Received: from eagle.jhcloos.com (eagle.jhcloos.com [IPv6:2001:1938:12d::53]) by core3.amsl.com (Postfix) with ESMTP id 15B2F3A6917 for <keyassure@ietf.org>; Wed, 30 Mar 2011 08:59:19 -0700 (PDT)
Received: by eagle.jhcloos.com (Postfix, from userid 10) id 401A84010B; Wed, 30 Mar 2011 16:00:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=eagle; t=1301500856; bh=6d7mxX2Sd1i8s8OlKQwJGsuXWG3ba0TJL87PyIrqQ3g=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=dTIpNxKT4/MUI93GFsenfsaG5s22D86AxZcmb+41YRw5llITsgTBJJqmo20oCi4mn WKFmSbRMm3Mc53ClfSybabvA7KFnwQl74tx3v2Ck2jAYSjqwncHlTxDWdjXpqcFDaL o4JBrDuqTZlXnjVUFwohq3C3oA0JzWNomjkbrmJ8=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id B0296260042; Wed, 30 Mar 2011 15:52:41 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: keyassure@ietf.org
In-Reply-To: <AANLkTik1Uzd8XSZzopBBDHywrhSjsBQYxC91BZXdkMwg@mail.gmail.com> (Eric Rescorla's message of "Wed, 30 Mar 2011 10:48:53 +0200")
References: <AANLkTik1Uzd8XSZzopBBDHywrhSjsBQYxC91BZXdkMwg@mail.gmail.com>
User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2011 James Cloos
OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Wed, 30 Mar 2011 11:52:41 -0400
Message-ID: <m3vcz0fvvi.fsf@jhcloos.com>
Lines: 40
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:30:110330:keyassure@ietf.org::AkQGaJp043D3MBd8:000000000000000000000000000000000000000000HtjUo
X-Hashcash: 1:30:110330:ekr@rtfm.com::zTFM4HI+8NXF4BSC:0000icCW4
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 15:59:20 -0000
>>>>> "ER" == Eric Rescorla <ekr@rtfm.com> writes: ER> 1. Protecting against CA mis-issue (as in CA/cert lock). I hadn't though of doing this as Eric later describes (such that dnssec isn't required for this usage). I can understand how even an unsigned specification that a resource uses this-and-only-this CA might be an improvement over the status quo. But isn't false RR injection combined with a matching false cert chain still a relevant problem in that scenario? Perhaps the rfc should spec that, but with a threat analysis. ER> 2. Allowing TLS to work without getting a certificate from one ER> of the established trust anchors. The above said, this is my primary motivation. Commercial trust anchors provide little value and significant burden. It isn't just about "convenience". Obviously there is still a lot of third-party trust involved. You have to trust that the DS RRs are properly handled by the registrars, root & tld zone operators, et al. But we already have to trust them to do the same with the NS glue RRs. Ie, if the NS glue is mishandled the game is over anyway. So why not trust them correctly to handle the DS glue, too? The one thing that does become significantly more convenient, though, is more frequent rollover. Eric's second scenario should be DANE's primary mission. -JimC -- James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
- [keyassure] Objective: Restrictive versus Supplem… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Stephen Kent
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
- Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
- Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Jay Daley
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
- Re: [keyassure] Objective: Restrictive versus Sup… Jay Daley
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Warren Kumari
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Jim Schaad