Re: [keyassure] Bare keys again
Jeff Schmidt <jschmidt@jasadvisors.com> Wed, 23 March 2011 14:13 UTC
Return-Path: <jschmidt@jasadvisors.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6C2DC3A690C for <keyassure@core3.amsl.com>; Wed, 23 Mar 2011 07:13:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJxxe5KPhhzs for <keyassure@core3.amsl.com>; Wed, 23 Mar 2011 07:13:58 -0700 (PDT)
Received: from relay-hub202.domainlocalhost.com (relay-hub202.domainlocalhost.com [74.115.204.52]) by core3.amsl.com (Postfix) with ESMTP id 2EB2B3A6869 for <keyassure@ietf.org>; Wed, 23 Mar 2011 07:13:57 -0700 (PDT)
Received: from MBX202.domain.local ([169.254.2.125]) by HUB202.domain.local ([74.115.204.52]) with mapi id 14.01.0255.000; Wed, 23 Mar 2011 10:15:31 -0400
From: Jeff Schmidt <jschmidt@jasadvisors.com>
To: Paul Wouters <paul@xelerance.com>, "keyassure@ietf.org" <keyassure@ietf.org>
Thread-Topic: [keyassure] Bare keys again
Thread-Index: AQHL51zGDvNhnuZrW0u0NF7HLeps2ZQ3NYOAgAAHOACAABQaAIABMNsAgAACqYCAAAL5gIAABGkAgAAICICAAmtBgP//8wT+
Date: Wed, 23 Mar 2011 14:15:33 +0000
Message-ID: <E6B327026515F942B2668762387B1DE303228CBD@MBX202.domain.local>
References: <92D68A5E-5CB7-4C80-8D7B-0B8D55D93608@kumari.net> <alpine.LFD.1.10.1103201932370.20162@newtla.xelerance.com> <9D285351-8D73-4C15-BE2C-5DF731C08DCE@vpnc.org> <alpine.LFD.1.10.1103202028110.20162@newtla.xelerance.com> <1300669586.2117.12.camel@localhost> <alpine.LFD.1.10.1103202211390.20162@newtla.xelerance.com> <1300739370.2117.40.camel@localhost> <alpine.LFD.1.10.1103211631260.20162@newtla.xelerance.com> <AANLkTimyOXv66UeG2q2dmt1-e_Ek6WPPH-coueFc7fDS@mail.gmail.com> <AANLkTin1QjUbVFN8FqjL2SPRLSRRw4Ahs4zbhy4ZdZuX@mail.gmail.com> <alpine.LFD.1.10.1103211727150.28224@newtla.xelerance.com>, <alpine.LFD.1.10.1103230625150.18330@newtla.xelerance.com>
In-Reply-To: <alpine.LFD.1.10.1103230625150.18330@newtla.xelerance.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.64.24]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [keyassure] Bare keys again
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2011 14:13:59 -0000
I'm new here, so I please accept all relevant apologies and I ask for all relevant leniance and guidance. On Mon, 21 Mar 2011, Paul Wouters wrote > http://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion > This is another clear signal that DANE is needed, and the need for the > X509 storage format is unneccessary. So people can simply take control > of SSL for servers within their own DNS zones. I have been tracking this conversation with interest. I am of the opinion that X.509 is an artifact of the past, when public keys were distributed outside of any useful namespace, and we needed additional "stuff" to establish provenance, chain of trust, etc. X.509 is essentially a way to (1) map a public key to a hostname/email address, and (2) establish a chain of trust. Of course, we don't need (1) when the key is in DNS, and hopefully we're moving away from practices that would need (2) for all the reasons the CA trust model is broken. So, X.509 brings a lot of overhead/baggage without providing anything useful in return.(*) Thus, I agree that we should be designing DANE (and other approaches) for the future, which will hopefully be a post-X.509/CA world. The (*) is interoperability with TLS, which we obviously need. So, here's the idea: why don't we design DANE to support both methods of operation: publishing X.509 certs/hashes and bare keys. This gives us interoperability in the near term and flexibility into the future (to combat the TXT approaches). As I see it, we could generalize the "TLSA Certificate Types" registry to support several methods of operation - something like "TLSA Data Types" then add to the initial registry: n: Bare public key to identify an end entity n: Bare public key trust anchor Hash types still applies as written; some other language would need smoothing here and there, but it pretty much works. If I'm not way off base here, I'd be happy to take a shot at some edits to -06 if desired. Thanks, Jeff
- Re: [keyassure] Issues that no longer issues? Ondřej Surý
- [keyassure] Issues that no longer issues? Warren Kumari
- Re: [keyassure] Issues that no longer issues? Paul Wouters
- [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Stephen Kent
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Phillip Hallam-Baker
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Jeff Schmidt
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Douglas Otis
- Re: [keyassure] Bare keys again Douglas Otis
- Re: [keyassure] Bare keys again Henry Story
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Ben Laurie
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Matt McCutchen