Re: [keyassure] Asserting DANE exclusivity for an entire domain

Matt McCutchen <matt@mattmccutchen.net> Fri, 11 February 2011 00:20 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=V+Eo/ffJ/CXaT6W5C+59u9v9CknfYZNJvPhKnRyJjWi 76YV+8V3l4BDnT7eLD2TfSJmW6VTKgL15WSIgKDLjm5PkAazzmijXkfKXYWVWbp5 jSyl+44uqpi/+GxgOIrjCCd0rDjoEyFOCM0ng1QlZC7bTDjqCYIiIODy+aEzTs+s =
From: Matt McCutchen <matt@mattmccutchen.net>
To: keyassure <keyassure@ietf.org>
In-Reply-To: <20110210233124.GA22821@LK-Perkele-VI.localdomain>
References: <201102091639.p19GdWLP029306@fs4113.wdf.sap.corp> <alpine.LFD.1.10.1102091229000.1794@newtla.xelerance.com> <AANLkTim7NzX5aBeip4rw3=c+Eat_gfyk2t4-K3ZFEG7-@mail.gmail.com> <20110209200305.GB56498@shinkuro.com> <AANLkTikfwj7syaArnWe1cvhpX-V_FXJG9fCdmAjrgE2_@mail.gmail.com> <20110209214440.GG56498@shinkuro.com> <alpine.LFD.1.10.1102092206310.1794@newtla.xelerance.com> <1297376455.1820.80.camel@mattlaptop2.local> <20110210233124.GA22821@LK-Perkele-VI.localdomain>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 10 Feb 2011 19:20:25 -0500
Message-ID: <1297383625.1820.91.camel@mattlaptop2.local>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [keyassure] Asserting DANE exclusivity for an entire domain
Precedence: list

On Fri, 2011-02-11 at 01:31 +0200, Ilari Liusvaara wrote:
> On Thu, Feb 10, 2011 at 05:20:55PM -0500, Matt McCutchen wrote:
> > 
> > I don't know where you got that.  My goal with "null TLSA" is to prevent
> > public CAs from fabricating a TLS service that I do not offer.  E.g., I
> > do not operate a site at https://secure.mattmccutchen.net, but if a
> > public CA spoofed it into existence and invited users to visit it, they
> > would be inclined to assume that I endorse the content. 
> 
> That attack doesn't work too well: Clients will try to resolve A/AAAA
> records for secure.mattmccutchen.net, ending up with authenticated
> NXDOMAIN and then complain about unknown host.

I forgot about that, but see my previous message on the subject:

http://www.ietf.org/mail-archive/web/keyassure/current/msg01679.html

> Now, this attack could actually work between ports (but would require
> MITMing on mass scale).

MITMing is what all of this is about...

-- 
Matt

[keyassure] Asserting DANE exclusivity for an ent… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Nicholas Weaver
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Martin Rex
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Jakob Schlyter
Re: [keyassure] Asserting DANE exclusivity for an… Ondřej Surý
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… James Cloos
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… James Cloos
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Nicholas Weaver
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Mark Andrews
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Martin Rex
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Ilari Liusvaara
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Ilari Liusvaara
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Olafur Gudmundsson