IETF Logo Mail Archive

Re: [therightkey] [dane] DANE and CT

Ben Laurie <benl@google.com> Wed, 14 November 2012 16:35 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E37B421F84F8 for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 08:35:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.876
X-Spam-Level:
X-Spam-Status: No, score=-102.876 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYzEXS5EcNqI for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 08:35:32 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id D41CA21F845E for <therightkey@ietf.org>; Wed, 14 Nov 2012 08:35:31 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id fl11so710261vcb.31 for <therightkey@ietf.org>; Wed, 14 Nov 2012 08:35:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nOgr9Y0B/Lm9ouBvldPDv4hrw5yMlNz93n+LO8bRs+I=; b=SGxwFCbhtQzwf51Lh5UkTHTfvib6cW0VwiRnbsPMYsHE+BXhoyRbxffBgJsz5dMqO0 CFTXPAFmifC5ZgzLDqOFQtZIKCq+5JNY11OR9y/iu6l/3/AtVMA9GEMTMtAdqE/bMzWS ZfuvSL8OgJHaK1WGXn3p/DGXUVwhCe+UxuEJEHg+J1X3nuVqPWbZ94N/6Co/i38hLRGN 8pwShU578fET2cEN1Y+4M2UFDD+9AUUofi4Ww/kpST8jBrIDruVtih3PA/+85cqSSgGk ZXS6JA7rk67wkzs+E5GpK4NujsQ5FUc72MmEAq7rgvh8Lsrv4GpXMPQMLXxp1jHWj7jX adaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=nOgr9Y0B/Lm9ouBvldPDv4hrw5yMlNz93n+LO8bRs+I=; b=YZX9qIzdPKS70MCxTZ0/dtGOZbM6S5SMlRydyZwyxZ2InGWHwKeKceuhqahPNvHKKN DWxGjjLdIVAEj+wGAABsvVXwJawqiLzQeSo9g7xn4Y7niqL9yo1wu4Fl9v4B5cdB6pt3 9JY+/ERsxqwMN1kkaC6zNxkbFLueLmKz3YiCTFmy8mXZQBUzmse6fjTGIvocuXcAisgl sEBxddzkD6qMdcL+Zm+J4iHNMlvg1bVzmGeGs1l8yVrTv8NaO7siPkeuZ0iW3Ifdh2w4 G46RKwksgPuXU+tnxZSiWmEFemxqsPQaFqOaFGmz0dzqlgZcixsBCxNi86yUuv8z09ts ZE9A==
MIME-Version: 1.0
Received: by 10.52.175.167 with SMTP id cb7mr2624498vdc.58.1352910931286; Wed, 14 Nov 2012 08:35:31 -0800 (PST)
Received: by 10.220.228.6 with HTTP; Wed, 14 Nov 2012 08:35:31 -0800 (PST)
In-Reply-To: <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com> <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca>
Date: Wed, 14 Nov 2012 16:35:31 +0000
Message-ID: <CABrd9SSv7vfxOhogGmYSWC8hROyXL_z4TJC8mxNMW-apSg5Y0Q@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQmDpuZ999Pb+UsqgLwJueKmGcdCvXPMpk7KoGokEfglPX7psblzkvd0SAeoLJfg8HAoM01j2jHMyVn3spfq0hlqc2yAjWFUQmGYtgqOlWWxRaHObo1sqzEC7EMCW2dIo4Q1IUExOnUnttxsEQO1tKS4V/va8QZtvIaNTmpghi6fBlZNH88gG907EjCSPEJvdg3wKais
Cc: Tony Finch <dot@dotat.at>, therightkey@ietf.org, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 16:35:33 -0000

On 14 November 2012 16:30, Paul Wouters <paul@nohats.ca> wrote:
> On Wed, 14 Nov 2012, Ben Laurie wrote:
>
>>>> At the CT BoF the question was raised: what about DANE?
>>>>
>>>> Which is a good question. So, I think Google is prepared to
>>>> contemplate running a CT log for DANE, but this leaves some
>>>> questions...
>>>
>>>
>>> What problem would CT for DANE be aiming to fix?
>>
>>
>> By all means add that to the list of questions :-)
>>
>> But I assume the same problem CT already fixes: misissuance of certs
>> (which in the DNSSEC world I guess mostly boils down to bad
>> delegation).
>
>
> Does that make sense though? With RRSIG validity times and TTL's you
> can set your "damange period" as small as you want. There is no issue
> like with certificates where your credentials can be abused for up to
> 12 months.
>
> The only use I could see is as an alternative mechanism to transfer these
> records into the application that does not require a clean DNS transport.
>
> I think CT is a bandaid for PKIX that does not apply to DANE.
>
> I think the problem with DANE/DNSSEC right now is the additional latency
> and dns transport issues (hotspots, VPN, etc) but I don't think CT is
> very well suited to address those.

a) Why would an attacker use your validity times?

b) Weren't you amongst those asking for CT to support DANE during the BoF?

I disagree that CT is a bandaid for anything, BTW - it is a useful
mechanism in its own right.

v2.23.0 | Report a Bug | By Email