IETF Logo Mail Archive

Re: [therightkey] [dane] DANE and CT

Ben Laurie <benl@google.com> Wed, 14 November 2012 17:56 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4FE521F8531 for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 09:56:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.897
X-Spam-Level:
X-Spam-Status: No, score=-102.897 tagged_above=-999 required=5 tests=[AWL=0.080, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cx8GZDXj2vgw for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 09:56:32 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 98B4921F8530 for <therightkey@ietf.org>; Wed, 14 Nov 2012 09:56:25 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id fl11so812257vcb.31 for <therightkey@ietf.org>; Wed, 14 Nov 2012 09:56:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/5IJtKVvHU5cnswul0O+m6SBCqI2HN4iAQtNWEMFqaY=; b=WM6o+CIIifNnNW+ZYpw9ZhtQQNL62mxnaKN1zmAbE3vX1zlZRy2/edFd156AinMkL0 JljxwPhH6eUn4Jy2pdq7yCpf+5Qd7dGtHQy3+XaHTGsERrWnfqtzfzy69PmrfjJYnWac 0pNDYky8+UB0GmkRau0oLryCdSOdQKpbXN99GmfjCuyw+TuCH96WS1aLT5+6vsxdAa9k fSmup7hbOuIxgJvM5MaxPHYR3tQhxDECUiZITzIzxAO6W2twSw4Oo0rfUGsR9eqyqGvQ JM1ds1ln59AorJmyIuZjvmo2lwezC4GekWnii2cOU0wTEQbC3TNM8Nmb1lTYSUzYMtpj 0iCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=/5IJtKVvHU5cnswul0O+m6SBCqI2HN4iAQtNWEMFqaY=; b=Y3QrLz3XUx9Uu3mkJgfH8CMYgN3aAWykRSfAJBY2RWKAVwD7qX7dNwc4CRpJ9c3+sd CSEclKoRtbFDL2GnDyyp1DxX1fRoD8uwfplI2J9NMhEbwCh7Au2Td0yhdM9MwnuHumHw NDB7mEk/P2+8V+PImaNdSvuZXtTcBNg8YPHlnxZGKtDspdJVk/BSSYUdYHeQRL1/HCCG q+MM/feJAFh1Rawb8YrtD/GHpdM1BcDDDDUvYbZA+O5mUZjJ8mTZw6iNP6+Zyyge9Z4h ubJClOS94QqkX+Hhc1ziemG3Zu7U08cYvTzI9ya5eFpzk5Ugh+1LJ/hr0scN3dNvoKWi 7dkg==
MIME-Version: 1.0
Received: by 10.220.155.132 with SMTP id s4mr11984047vcw.15.1352915784929; Wed, 14 Nov 2012 09:56:24 -0800 (PST)
Received: by 10.220.228.6 with HTTP; Wed, 14 Nov 2012 09:56:24 -0800 (PST)
In-Reply-To: <20121114172950.GA13499@isc.upenn.edu>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <212E2C13-CE98-43BB-B665-14DD18236F03@kumari.net> <alpine.LSU.2.00.1211141640120.15409@hermes-1.csi.cam.ac.uk> <CABrd9ST8duM=U-0g02yres_qEY5tnLY6dXLJzxcXiKYEqmiFNA@mail.gmail.com> <20121114172950.GA13499@isc.upenn.edu>
Date: Wed, 14 Nov 2012 17:56:24 +0000
Message-ID: <CABrd9SSMq8RQVTB7OWHEULC0Kwy-XqXEiKzEE5e6O7cG1_6Hiw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Shumon Huque <shuque@upenn.edu>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQlhqrZdduKzd3hTcyZzMCLROjs4+UdL7WdZdqHdbXeb/MbQ3h/TWxkHHvIi9aBMvjtxkyeyrZPwM/EiBtxZDykRbFLthzm4P3l0UdtFnmt9ErBMwj64NFsolaWlNIYZK71wlHB26/YL5ve+sATOJQP0irp6mtxQEnhjhlaM5yrpHDTt/xDP/3ETUwKtofbMV4J6Myeq
Cc: Tony Finch <dot@dotat.at>, therightkey@ietf.org, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 17:56:33 -0000

On 14 November 2012 17:29, Shumon Huque <shuque@upenn.edu> wrote:
> On Wed, Nov 14, 2012 at 05:07:58PM +0000, Ben Laurie wrote:
>> On 14 November 2012 17:02, Tony Finch <dot@dotat.at> wrote:
>> > Warren Kumari <warren@kumari.net> wrote:
>> >>
>> >> If I run example.com and someone managed to generate / publish a TLSA
>> >> record for that I'd sure like to know about it.
>> >
>> > Right. But in PKIX a mis-issued certificate has nothing to do with your
>> > own infrastructure, whereas with DANE it implies that your infrastructure
>> > (or the infrastructure of your DNS service providers) has been
>> > compromised.
>>
>> Isn't the infrastructure of your DNS service providers nothing to do
>> with your own infrastructure? Not to mention your TLD's
>> infrastructure, and that of all of their registrars (and, presumably,
>> DNS service providers)?
>
> One critical difference is that with DANE, I can query the DNSSEC
> delegation chain myself and detect whether my TLD has installed a
> bogus DS record and take action. I cannot today detect a bogus
> X.509 cert by myself. I think this makes a CT like scheme less necessary
> for DANE.

You can't detect a bogus X.509 cert because you can't connect to the
server serving it, presumably. What magic allows you to perform this
trick for DNS but not HTTPS?

>
> --
> Shumon Huque
> University of Pennsylvania.

v2.23.0 | Report a Bug | By Email