Re: [keyassure] I-D Action:draft-ietf-dane-protocol-00.txt
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 14 December 2010 07:36 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EA3D3A6F5D; Mon, 13 Dec 2010 23:36:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.427
X-Spam-Level:
X-Spam-Status: No, score=-2.427 tagged_above=-999 required=5 tests=[AWL=0.172, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GsgjytNsWNLc; Mon, 13 Dec 2010 23:36:21 -0800 (PST)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) by core3.amsl.com (Postfix) with ESMTP id 899FF3A6F55; Mon, 13 Dec 2010 23:36:21 -0800 (PST)
Received: from saunalahti-vams (vs3-11.mail.saunalahti.fi [62.142.5.95]) by emh02-2.mail.saunalahti.fi (Postfix) with SMTP id 76B42EF411; Tue, 14 Dec 2010 09:37:59 +0200 (EET)
Received: from emh03.mail.saunalahti.fi ([62.142.5.109]) by vs3-11.mail.saunalahti.fi ([62.142.5.95]) with SMTP (gateway) id A073426D2BE; Tue, 14 Dec 2010 09:37:59 +0200
Received: from LK-Perkele-V2 (a88-112-50-174.elisa-laajakaista.fi [88.112.50.174]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id B9149158A63; Tue, 14 Dec 2010 09:37:55 +0200 (EET)
Date: Tue, 14 Dec 2010 09:38:18 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Internet-Drafts@ietf.org
Message-ID: <20101214073818.GA32684@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20101213220001.24500.52050.idtracker@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20101213220001.24500.52050.idtracker@localhost>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Antivirus: VAMS
Cc: keyassure@ietf.org, i-d-announce@ietf.org
Subject: Re: [keyassure] I-D Action:draft-ietf-dane-protocol-00.txt
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 07:36:22 -0000
On Mon, Dec 13, 2010 at 02:00:01PM -0800, Internet-Drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the DNS-based Authentication of Named Entities Working Group of the IETF. > > > Title : Using Secure DNS to Associate Certificates with Domain Names For TLS > Author(s) : P. Hoffman, J. Schlyter > Filename : draft-ietf-dane-protocol-00.txt > Pages : 9 > Date : 2010-12-12 Various unclear things: - What protects against app managing to load junk keys out of wrong format certificate (those junk keys might matematically work an be weak)[1][2]? - Since hash #0 is identity anyway, is there reason not to merge 1 and 2 (and also 3 and 4)? - Do type 3/4 entries match end entity certificate as well, or only other certificates? And then what to do on encountering various kinds nonsense, what should happen when encountering: - Record with first two bytes of 01 00? - Record with first two bytes of 02 02? - SHA-1 record that is 21 bytes total (truncated record)? - SHA-1 record that is 23 bytes total (extra stuff after the end)? [1] draft-hoffman-keys-linkage-from-dns-03 had protection against this. [2] Granted, it seems pretty unlikely that application can pull anything out of wrong format certificate. But if there ever will be another certificate format using ASN.1, that might not hold anymore... -Ilari
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- [keyassure] I-D Action:draft-ietf-dane-protocol-0… Internet-Drafts
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Farrell
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ilari Liusvaara
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Farrell
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Farrell
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Warren Kumari
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ilari Liusvaara
- [keyassure] PKIX-only draft-ietf-dane-protocol-00… Simon Josefsson
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Jakob Schlyter
- Re: [keyassure] PKIX-only draft-ietf-dane-protoco… Phillip Hallam-Baker
- Re: [keyassure] PKIX-only draft-ietf-dane-protoco… Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ilari Liusvaara
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Steve Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… W.C.A. Wijngaards
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ben Laurie
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Steve Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ben Laurie
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Steve Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Florian Weimer
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Steve Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Steve Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Nicholas Weaver
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] Upgrading http URLs using unsecur… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Martin Rex
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Martin Rex
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Simon Josefsson
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] "Trusted third parties" Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] "Trusted third parties" Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] "Trusted third parties" Matt McCutchen
- Re: [keyassure] "Trusted third parties" Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… W.C.A. Wijngaards
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… James Cloos
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Schultze
- Re: [keyassure] "Trusted third parties" Mark Andrews
- Re: [keyassure] "Trusted third parties" Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Martin Rex
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Mark Andrews
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Mark Andrews
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Martin Rex
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Mark Andrews
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Martin Rex
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Adam Langley
- [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] TLSA and HASTLS Brian Smith
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Martin Rex
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Adam Langley
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… James Cloos
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Steve Schultze
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Jeffrey A. Williams
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… James Cloos
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Jeffrey A. Williams
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Jakob Schlyter
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Steingruebl, Andy
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ben Laurie
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Steve Schultze
- Re: [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Steve Schultze
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… W.C.A. Wijngaards
- Re: [keyassure] HTTPS -> HTTP downgrade Zack Weinberg
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Steingruebl, Andy
- [keyassure] Goals of DANE Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Steingruebl, Andy
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Steingruebl, Andy
- Re: [keyassure] "hostname/CN= limitation" Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Michael Richardson
- [keyassure] Need for SNI when multiple virtual ho… Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Geoff Beier
- Re: [keyassure] HTTPS -> HTTP downgrade Zack Weinberg
- Re: [keyassure] HTTPS -> HTTP downgrade Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Matt McCutchen
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Paul Wouters
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Matt McCutchen
- Re: [keyassure] TLSA and HASTLS James Cloos
- Re: [keyassure] HTTPS -> HTTP downgrade Ilari Liusvaara
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Steingruebl, Andy
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Osterweil, Eric
- Re: [keyassure] TLSA and HASTLS Osterweil, Eric
- Re: [keyassure] TLSA and HASTLS Matt McCutchen
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] [websec] HASTLS and client policy… Ilari Liusvaara
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Steingruebl, Andy
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Martin Rex
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] TLSA and HASTLS Paul Hoffman
- Re: [keyassure] HTTPS -> HTTP downgrade Steingruebl, Andy
- Re: [keyassure] TLSA and HASTLS Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Ilari Liusvaara
- Re: [keyassure] HTTPS -> HTTP downgrade Ben Laurie
- Re: [keyassure] HTTPS -> HTTP downgrade Ben Laurie
- Re: [keyassure] HTTPS -> HTTP downgrade Nicholas Weaver
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- Re: [keyassure] HTTPS -> HTTP downgrade Paul Wouters
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ilari Liusvaara
- Re: [keyassure] HTTPS -> HTTP downgrade Ben Laurie
- Re: [keyassure] HTTPS -> HTTP downgrade Phillip Hallam-Baker
- [keyassure] HASTLS and client policy preference Paul Hoffman
- Re: [keyassure] HASTLS and client policy preferen… Paul Wouters
- Re: [keyassure] [websec] HASTLS and client policy… Steingruebl, Andy
- Re: [keyassure] [websec] HASTLS and client policy… Paul Wouters
- Re: [keyassure] [websec] HASTLS and client policy… Steingruebl, Andy
- Re: [keyassure] [websec] HASTLS and client policy… Phillip Hallam-Baker
- Re: [keyassure] [websec] HASTLS and client policy… Paul Hoffman
- Re: [keyassure] [websec] HASTLS and client policy… Paul Hoffman
- Re: [keyassure] [websec] HASTLS and client policy… Paul Hoffman
- Re: [keyassure] [websec] HASTLS and client policy… Paul Wouters
- Re: [keyassure] [websec] HASTLS and client policy… Paul Wouters
- Re: [keyassure] [websec] HASTLS and client policy… Ben Laurie
- Re: [keyassure] HTTPS -> HTTP downgrade Martin Rex