Re: [therightkey] [pkix] Proposal for working on PKIX revocationopen issues

Nico Williams <nico@cryptonector.com> Tue, 18 November 2014 00:17 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EEB01ACF24 for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 16:17:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEzkn77l2daT for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 16:17:07 -0800 (PST)
Received: from homiemail-a33.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1D7201ACFAC for <therightkey@ietf.org>; Mon, 17 Nov 2014 16:17:07 -0800 (PST)
Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id D4EFA594059; Mon, 17 Nov 2014 16:17:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=QW5roAwrGawQ8L 9Gk3qRmJir84Q=; b=APSQUzxApOrXOZJkm77c0jK5tY+2ojD3TOE8I9wJ7mijqd 4pMyA/JVnoGduVXD39fXJ/JB5syTLKl2ej24aOKiygG+nWqP9l6WFJmkltgtoKC8 G+Lm0pjrwJsYW4LBl/lLcDwo3cgUm5Fp4kboUK9gLO3BPa8HotmadYswJbIqc=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPA id 7404A594058; Mon, 17 Nov 2014 16:17:06 -0800 (PST)
Date: Mon, 17 Nov 2014 18:17:06 -0600
From: Nico Williams <nico@cryptonector.com>
To: Rob Stradling <rob.stradling@comodo.com>
Message-ID: <20141118001704.GE5476@localhost>
References: <5466AF87.2050307@gmail.com> <CAMm+Lwg30tb+yFxVMG3qJ=_fjVT=ASqUmaf9gH8wpUhUGxgf6A@mail.gmail.com> <CAK3OfOionKNtMRv+bFqY=yN1x+VQNwzraOBF-NSsdnSu6dOA5w@mail.gmail.com> <546A6DFD.1020306@comodo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <546A6DFD.1020306@comodo.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/CWXQ-1EDnVFr0GRaxn7Nw1U_LeA
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>, Ben Laurie <benl@google.com>
Subject: Re: [therightkey] [pkix] Proposal for working on PKIX revocationopen issues
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 00:17:08 -0000

On Mon, Nov 17, 2014 at 09:51:57PM +0000, Rob Stradling wrote:
> I'm interested in making revocation checking for the WebPKI actually
> work when it needs to work!  And that means finding a way for
> browsers to be able to hard-fail when revocation status is
> unobtainable.
>
> [...]

What you say is true, but what we need here is a time machine.  One that
can travel backwards in time cheaply.  That one is stuck in AUTH48, I
hear, and we might not get it for a while yet.

Deadly embrace problems simply take time to fix.

DANE stands a pretty good chance of helping simplify a lot of things,
which is one reason that I'm a fan.  Right out of the gate DANE is way
ahead of PKIX w.r.t. naming constraints, and that's a huge part of the
battle -- nigh the most important, since the number of CAs that can
impersonate a service becomes: the number of labels in the TLSA RRset
domainname.

DANE can be stapled, and it's rather straightforward to do so too.  Yes,
there are issues, like the DNSSEC RSA 1024 root key, and the lack of
logging of delegations, but we know what they are and they are
tractable.

Nico
--