IETF Logo Mail Archive

Re: [saag] new terminology ID posted

Stephen Kent <kent@bbn.com> Mon, 07 April 2014 14:14 UTC

Return-Path: <kent@bbn.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F367A1A0791 for <saag@ietfa.amsl.com>; Mon, 7 Apr 2014 07:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id piQtjr5S-gfi for <saag@ietfa.amsl.com>; Mon, 7 Apr 2014 07:14:40 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 019801A0452 for <saag@ietf.org>; Mon, 7 Apr 2014 07:14:39 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:40880 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WXAJu-000GoT-0s; Mon, 07 Apr 2014 10:14:42 -0400
Message-ID: <5342B2C8.7060304@bbn.com>
Date: Mon, 07 Apr 2014 10:14:32 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <533AE246.9080806@bbn.com> <20140401163654.GD12559@mournblade.imrryr.org> <533B0993.80001@bbn.com> <20140405212023.GF2727@localhost>
In-Reply-To: <20140405212023.GF2727@localhost>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/jx9cfp0JLhQXS-f6cqjv5StsURo
Cc: saag@ietf.org
Subject: Re: [saag] new terminology ID posted
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 14:14:45 -0000

Nico,

> On Tue, Apr 01, 2014 at 02:46:43PM -0400, Stephen Kent wrote:
>> Thus it may not result in as much encryption as a mechanism which does not
>> impose that prerequisite. Folks will have to decide if we want to create a
>> different term for DANE-enabled TLS (and IPsec) sessions, or broaden the
>> definition of opportunistic security to encompass them. I'm happy to
>> generate text to accommodate whatever folks decide.
> Er, are you asking for a consensus call on this point?  I'm definitely
> for DANE-enabled TLS.  Who wouldn't be?  Can we hear some arguments
> against?  I'm curious about this.
I was not asking for a consensus call, yet. And, even if I were, the
issue is not whether DANE-enabled TLS is good or bad (I think it';s
very good) but whether it will be included in a definition of OS.
> Or, if we don't hear any such arguments, then I think we must have
> consensus on this point.
DANE-enabled TLS does not meet some of the posited requirements for
OS, e.g., PFS, and encrypt first and authenticate later. Gee, that sounds
a lot like "shoot first and ask questions later" now that I think about 
it :-).
> Until then, what's the harm in including "DANE-enabled TLS" in your I-D?
> How might we get feedback on that if you don't?
Include it as what? I have included notes on what I viewed as "legacy"
IETF security protocols. DANE-enabled TLS is rather new to be viewed
as one of those. I don't want to discuss all of the proposals that are
now on progress, lest we never complete this doc. In that sense DANE-enabled
TLS tends to fall in the middle. If folks feel it's important to mention,
then I will do so, but not as an example of OS.
> As to IPsec, I really think there are two "correct" approaches to making
> end-to-end IPsec work:
>
>   - Apps (or the OS libraries/kernel) lookup IPsec-equivalents of TLSA
>     RRsets for the desired host/service name (not IP addresses!), then
>     arrange for local IPsec policy to require the remote's ID/credentials
>     for the address found in the DNS to match those found in the IPsec
>     DANE.
>
> and/or
>
>   - Use IPsec connection latching and channel binding to IPsec channels
>     at the app layer.
>
> Note that the first effectively refers to connection latching.  The
> latter is only relevant when there's an app-layer authentication
> mechanism with various properties, making the first approach the only
> general one.

I think this level of detail is beyond what needs to be discussed in 
this doc
but, as above, let's see what other folks feel.

Steve

v2.41.0 | Report a Bug | By Email | System Status