Re: [Resolverless-dns] Paper on Resolver-less DNS

Vittorio Bertola <vittorio.bertola@open-xchange.com> Fri, 23 August 2019 11:11 UTC

Date: Fri, 23 Aug 2019 13:11:39 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
Reply-To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: sy@informatik.uni-hamburg.de, resolverless-dns@ietf.org
Message-ID: <1171283855.590.1566558699991@appsuite-gw1.open-xchange.com>
In-Reply-To: <ae355776-a1bb-cf23-f380-133439661d1f@informatik.uni-hamburg.de>
References: <CAHbrMsBhR1yaLxQk7wZk54Jdf5nvkS03KC3UTae0Famu2+SV8g@mail.gmail.com> <4568720.uvMTqBdgP4@linux-9daj> <fb12f102-714d-95cc-c6cc-0871a2df9f50@informatik.uni-hamburg.de> <34813218.VKkrhzyXsx@linux-9daj> <ae355776-a1bb-cf23-f380-133439661d1f@informatik.uni-hamburg.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Importance: Medium
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/vLcV2cGQPQrqlEYsSc1MEFtuSqw>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
Precedence: list

> Il 23 agosto 2019 11:37 Erik Sy <sy@informatik.uni-hamburg.de> ha scritto:
> 
> In my view, DANE TLSA is an approach to do public key pinning. The web
> already collected a lot of experience with public key pinning as this
> can be also done using other protocols than DNS. In summary, the Chrome
> browser deprecated this mechanism last year [1]. Assuming that DANE TLSA
> would be widely supported on client systems, I think that Chrome would
> not start using this mechanism to do public key pinning.
> 
> 1:
> https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

According to the message you linked to, the main reason for deprecating HPKP was that it was hard for site operators to make sure that the pinned certificate matched the set of CAs that would be available in browsers at any time in the future, and the chain of intermediate certificates that each CA could use. This is not a problem with DANE, since DANE validates the certificate for the current connection and not for the future (so it's not really pinning it, just validating it every time), and does not depend on CAs and on the browser's acceptance of them. Even "hostile pinning" is much harder with DANE, since it would require the attacker to gain control of both the web server and the authoritative name server, rather than just the web server; and it would cease to have effects immediately once found and remediated.

Actually, moving to DANE validation in the browser would have been quite a reasonable consequence of the analysis in the message.

-- 
 
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy

[Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ben Schwartz
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS John R Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Fred Baker
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS John R Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Steffen Nurpmeso
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Steffen Nurpmeso
Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Bob Harold
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie