IETF Logo Mail Archive

Re: [therightkey] [dane] DANE and CT

Tony Finch <dot@dotat.at> Wed, 14 November 2012 17:02 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2C421F8680; Wed, 14 Nov 2012 09:02:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.623
X-Spam-Level:
X-Spam-Status: No, score=-5.623 tagged_above=-999 required=5 tests=[AWL=0.977, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4cq1a3DEgQe; Wed, 14 Nov 2012 09:02:46 -0800 (PST)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by ietfa.amsl.com (Postfix) with ESMTP id EE37521F85FD; Wed, 14 Nov 2012 09:02:45 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:56726) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1TYgMN-00007K-rr (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 14 Nov 2012 17:02:43 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1TYgMN-00074g-Lf (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 14 Nov 2012 17:02:43 +0000
Date: Wed, 14 Nov 2012 17:02:43 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Warren Kumari <warren@kumari.net>
In-Reply-To: <212E2C13-CE98-43BB-B665-14DD18236F03@kumari.net>
Message-ID: <alpine.LSU.2.00.1211141640120.15409@hermes-1.csi.cam.ac.uk>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <212E2C13-CE98-43BB-B665-14DD18236F03@kumari.net>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: therightkey@ietf.org, Ben Laurie <benl@google.com>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 17:02:47 -0000

Warren Kumari <warren@kumari.net> wrote:
>
> If I run example.com and someone managed to generate / publish a TLSA
> record for that I'd sure like to know about it.

Right. But in PKIX a mis-issued certificate has nothing to do with your
own infrastructure, whereas with DANE it implies that your infrastructure
(or the infrastructure of your DNS service providers) has been
compromised.

I'm a bit worried about the operational implications: PKIX CT is extra
work for CAs, but DANE CT is extra work for everyone.

So I'm skeptical that the cost/benefit tradeoff is positive.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

v2.23.0 | Report a Bug | By Email