Re: [keyassure] Object Digest Reference
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 13 December 2010 20:59 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 252C228C0F3 for <keyassure@core3.amsl.com>; Mon, 13 Dec 2010 12:59:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.358
X-Spam-Level:
X-Spam-Status: No, score=-2.358 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id co3jaoC9UheJ for <keyassure@core3.amsl.com>; Mon, 13 Dec 2010 12:59:13 -0800 (PST)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) by core3.amsl.com (Postfix) with ESMTP id CD32128C0DF for <keyassure@ietf.org>; Mon, 13 Dec 2010 12:59:12 -0800 (PST)
Received: from saunalahti-vams (vs3-10.mail.saunalahti.fi [62.142.5.94]) by emh06-2.mail.saunalahti.fi (Postfix) with SMTP id DB948C7E4F; Mon, 13 Dec 2010 23:00:50 +0200 (EET)
Received: from emh04.mail.saunalahti.fi ([62.142.5.110]) by vs3-10.mail.saunalahti.fi ([62.142.5.94]) with SMTP (gateway) id A045BED81F8; Mon, 13 Dec 2010 23:00:50 +0200
Received: from LK-Perkele-V2 (a88-112-50-174.elisa-laajakaista.fi [88.112.50.174]) by emh04.mail.saunalahti.fi (Postfix) with ESMTP id 5169841BE2; Mon, 13 Dec 2010 23:00:47 +0200 (EET)
Date: Mon, 13 Dec 2010 23:01:07 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Phillip Hallam-Baker <hallam@gmail.com>
Message-ID: <20101213210107.GB29718@LK-Perkele-V2.elisa-laajakaista.fi>
References: <AANLkTikufUrJbOiatHh9Dt98Uxj7LnwL2EE0tRUw92BF@mail.gmail.com> <p06240801c92bf18f22f3@10.20.30.249> <AANLkTimKqj8O6gZ6dyjzJJAdr067MDWJvjSV4KCPSiP1@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <AANLkTimKqj8O6gZ6dyjzJJAdr067MDWJvjSV4KCPSiP1@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Transfer-Encoding: quoted-printable
X-Antivirus: VAMS
Cc: keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [keyassure] Object Digest Reference
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2010 20:59:14 -0000
On Mon, Dec 13, 2010 at 01:59:28PM -0500, Phillip Hallam-Baker wrote: > On Mon, Dec 13, 2010 at 11:04 AM, Paul Hoffman <paul.hoffman@vpnc.org>wrote: > > Some folk on this list doubted that a semantic substitution attack was an > issue for the KEYASSURE/CERT proposal. I can't find any way to perform semantic substution attack against draft-hoffman-keys-linkage-from-dns-03 even in the most pathological situations (that don't involve much easier attacks anyway). BTW: TLS itself can't defend against such attacks, it just relies that attacker doesn't have such capabilites. > Now absent some really clear indication to the contrary, using ASN.1 OIDs > for identifying cryptographic algs and formats is pretty much a slam dunk. I > can't see how anyone could say that it is not an acceptable way to go for > any application layer design. Programming complexity. Which is big deal when you are writting this stuff in C or C++ for practical end applications. And yes, I'm assuming prefixes are precomputed. I looked at piece of code I have written that handles ASN.1-encoded hashes. All I can say is "yuck". I'd much rather deal with small integers (even if the set has gaps). > They are bad within DNSSEC. But unavoidable at the upper layers. I would > prefer not to have to support PGP and other key formats in this scheme, but > they are going to be unavoidable politically. I haven't seen any overly bad stuff with DNSSEC (granted, how many implementations support GOST, but the problem). But I have seen _PLENTY_ of bad stuff with X.509. > I don't like having to deal with all that. But what I really, really want to > avoid is having application layer crypto impact DNSSEC. his is just about how to denote hash algorithms. And what about fairly reasonable hash algorithms that seeming have no OID? > OK, how about on a web page. Imagine that we have a web page that is > downloaded from a TLS site but the images are stored on a separate image > server that does not have TLS. > > At the moment this is such a common use case that it is really difficult to > get enforcement on because it is so common. And there is another variation > where the data linked to is not even in the same domain. > > Imagine we can create a link of the form: > > <img src="http://images.example.com/1.gif" > odr="odr:woei2oqur02que0o2quefoiqwefouqwefoiu=="/> > > Packaging it up as a URI is not strictly necessary but that is what it is > functionally. > > One could even have a cache of content referenced by ODR lookup. So if the > content is not locatable, it can be pulled from cache. > > <a href="http://tools.ietf.org/rfc6666.txt > odr="odr:woqi12o3o12hroiqhweoiqhwe==">RFC 6666</a> What does that ODR encode about the semantics in both cases? That the file is a GIF in above case (what's the OID of GIF?) and that it is text file (what character set‽; what is say, OID of ASCII text file?). -Ilari
- [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Paul Hoffman
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Paul Hoffman
- Re: [keyassure] Object Digest Reference Ilari Liusvaara
- Re: [keyassure] Object Digest Reference Ilari Liusvaara
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Richard L. Barnes
- Re: [keyassure] Object Digest Reference Paul Hoffman
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Warren Kumari
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Paul Hoffman
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Paul Hoffman
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker
- Re: [keyassure] Object Digest Reference Paul Hoffman
- Re: [keyassure] Object Digest Reference Phillip Hallam-Baker