IETF Logo Mail Archive

Re: [therightkey] [dane] DANE and CT

Tom Ritter <tom@ritter.vg> Wed, 14 November 2012 17:51 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AF1221F860C for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 09:51:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMlRodkzkPhP for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 09:51:26 -0800 (PST)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id CA24D21F85CE for <therightkey@ietf.org>; Wed, 14 Nov 2012 09:51:25 -0800 (PST)
Received: by mail-vb0-f44.google.com with SMTP id fc26so777367vbb.31 for <therightkey@ietf.org>; Wed, 14 Nov 2012 09:51:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=p+6q9B26GioLatIMK2lqBbTg1B3K1eKUgCq3tA0FnMM=; b=uiBl5vWpvoz+L3SQiVeq/pmizJYMMnNWFfUkeQpkK8FVmVTnD3BiWmizzGaBwpRWBG j4H5H12x8d/9Mbf+fQQfuIZz/CsndmtUkqnO/Jpgu4qyqm+Oe8vT9hIvUS+WpYPbBKnn 7Yw3jLxm1ffRduHmVSYRc6bd8R7crnCnVe2iQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=p+6q9B26GioLatIMK2lqBbTg1B3K1eKUgCq3tA0FnMM=; b=OARtxIzo/YmG3V0ULSf/IIIqsuWYdN/Ul/6rD1+TOPI3yXKENflvoQi4xNyGEc9PJz VlEAMgbZslpqIbHiehTrPsZmH5mboNFZlFRkagadYGz3OCMECXqwO52N+Ech9rJpH6yj eYuCuCVRiY3oCuBrdd8jbJLcwZeVB25su951xQ13ql/0HUCZJV5oWj2XrRMgPb2fvJ6E ozcjZz2gWYOxo4mPaLoUB4yKTZHMvSh2Zl79aOyXSb5PFMVgtwcaOZDzyYp4YUnR3Fza 1fWhH8bZuHmLIjRDrmUnfM4pHZ9cmweTCvSjdH85ZmgSBDExx4cg5pBJ0cHGW4QT0Omm MMFw==
Received: by 10.220.227.199 with SMTP id jb7mr11865187vcb.26.1352915485056; Wed, 14 Nov 2012 09:51:25 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.151.178 with HTTP; Wed, 14 Nov 2012 09:51:04 -0800 (PST)
In-Reply-To: <20121114172950.GA13499@isc.upenn.edu>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <212E2C13-CE98-43BB-B665-14DD18236F03@kumari.net> <alpine.LSU.2.00.1211141640120.15409@hermes-1.csi.cam.ac.uk> <CABrd9ST8duM=U-0g02yres_qEY5tnLY6dXLJzxcXiKYEqmiFNA@mail.gmail.com> <20121114172950.GA13499@isc.upenn.edu>
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 14 Nov 2012 12:51:04 -0500
Message-ID: <CA+cU71nWPeqW-LBoAQLEW2ubnLdU1RO33wP+V=+rY=nRXTnd+A@mail.gmail.com>
To: Shumon Huque <shuque@upenn.edu>
Content-Type: multipart/alternative; boundary="14dae9cdca9be5de6304ce782edd"
X-Gm-Message-State: ALoCoQn7Gi416YCtNNZqwYha+jD+k1E1b6fkf5P5QLtKTjqruWTq3UlZ2QXNhcr4x1/fDEXngbi6
Cc: therightkey <therightkey@ietf.org>, Ben Laurie <benl@google.com>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 17:51:29 -0000

On 14 November 2012 12:29, Shumon Huque <shuque@upenn.edu> wrote:

> One critical difference is that with DANE, I can query the DNSSEC
> delegation chain myself and detect whether my TLD has installed a
> bogus DS record and take action. I cannot today detect a bogus
> X.509 cert by myself. I think this makes a CT like scheme less necessary
> for DANE.


I can query my server on port 443 and see if there is a bogus certificate.
 The lack of a bogus certificate in a response to a single query does not
mean there is not a valid attacker-controlled signature chain an attacker
could send to attack a user - whether that signature chain is of PKIX
signatures or DNSSEC signatures.

-tom

v2.23.0 | Report a Bug | By Email