Re: [Ntp] Of Roughtime's algorithm agility, and host attestation

"Patrik Fältström " <paf@frobbit.se> Sat, 27 July 2019 05:51 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4510612014B for <ntp@ietfa.amsl.com>; Fri, 26 Jul 2019 22:51:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNUK_kyCskCt for <ntp@ietfa.amsl.com>; Fri, 26 Jul 2019 22:51:23 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FE17120140 for <ntp@ietf.org>; Fri, 26 Jul 2019 22:51:23 -0700 (PDT)
Received: from [192.165.72.241] (unknown [IPv6:2a02:80:3ffc:0:7057:2d3:6ff3:9349]) by mail.frobbit.se (Postfix) with ESMTPSA id F30F42A1B4; Sat, 27 Jul 2019 07:51:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1564206681; bh=SCFcK2HVeEB7l+KJtDiIAOk279jHh0lw+zP/CPTsRps=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m4j3CmRLpmU0qIzXIvR1A+PhvptcvIZke5qrFFJL7IRKuIOLXixriFuisBZC55yDz FKiCBaXjcC7tiWtF/4TBJzmqh6mtwkAtc/ZNL4giqxan8qsTJS1z9SZ9ILVKQYOD9D CHemCQRqDj6QExeA6tKHkA3+vd5CohGx+hMJG1Cg=
From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf@frobbit.se>
To: "Robert Nagy" <rob@deepdivenetworking.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "Thomas Peterson" <nosretep.samoht@gmail.com>, ntp@ietf.org
Date: Sat, 27 Jul 2019 07:51:18 +0200
X-Mailer: MailMate (1.12.5r5635)
Message-ID: <12978B33-9014-4DF4-A372-88DBCE4BB167@frobbit.se>
In-Reply-To: <3C2EBBE8-3970-4B8C-BFE4-BB7F247EF7C3@deepdivenetworking.com>
References: <07725d0b-74ec-ec92-70fe-e27f0c4eee8c@gmail.com> <1564190434519110001_8FF0F819-5F81-41B3-A7F1-B4E97E22E0F7@akamai.com> <3C2EBBE8-3970-4B8C-BFE4-BB7F247EF7C3@deepdivenetworking.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_C36F200E-0928-4533-AE9A-9D6BE3B6E99E_="; micalg=pgp-sha1; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/hCiEskmBznn5p2vOgsXe9MIY_KE>
Subject: Re: [Ntp] Of Roughtime's algorithm agility, and host attestation
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jul 2019 05:51:28 -0000

On 27 Jul 2019, at 5:05, Robert Nagy wrote:

> This seems within the use case of the already existing TLSA records in DNS. Unless I missed something.

+1

Don't create anything new.

  Patrik

> Robert Nagy
> CEO/ Senior Dive Master
> DeepDive Networking, Inc
> C: 408.480.5133
> www.deepdivenetworking.com
>
>
> Sent from my iPhone
>
>> On Jul 26, 2019, at 8:20 PM, Salz, Rich <rsalz@akamai.com>; wrote:
>>
>>
>>>   To answer the first point, one suggestion by Erik Klein[0] is to create
>>    a new DNS RR type that includes the long term certificate of the
>>    Roughtime server.
>>
>> Look at https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-00 which attempts to provide various useful information. One possibility is a "cert digest" field.  Certs are generally too big for DNS, only keys appear.
>>
>> For crypto types, re-use an existing registry and profile it to make things MUST NOT.  There are various options, including TLS, JOSE, etc.
>>
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp