Re: [therightkey] [dane] DANE and CT
Paul Wouters <paul@nohats.ca> Wed, 14 November 2012 16:31 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A94921F85EB; Wed, 14 Nov 2012 08:31:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wR8pmpskohVS; Wed, 14 Nov 2012 08:31:15 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 27ACA21F85A5; Wed, 14 Nov 2012 08:31:15 -0800 (PST)
Received: by bofh.nohats.ca (Postfix, from userid 500) id A08DE82B69; Wed, 14 Nov 2012 11:30:31 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 970D4804AA; Wed, 14 Nov 2012 11:30:31 -0500 (EST)
Date: Wed, 14 Nov 2012 11:30:31 -0500
From: Paul Wouters <paul@nohats.ca>
To: Ben Laurie <benl@google.com>
In-Reply-To: <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com>
Message-ID: <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: Tony Finch <dot@dotat.at>, therightkey@ietf.org, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 16:31:15 -0000
On Wed, 14 Nov 2012, Ben Laurie wrote: >>> At the CT BoF the question was raised: what about DANE? >>> >>> Which is a good question. So, I think Google is prepared to >>> contemplate running a CT log for DANE, but this leaves some >>> questions... >> >> What problem would CT for DANE be aiming to fix? > > By all means add that to the list of questions :-) > > But I assume the same problem CT already fixes: misissuance of certs > (which in the DNSSEC world I guess mostly boils down to bad > delegation). Does that make sense though? With RRSIG validity times and TTL's you can set your "damange period" as small as you want. There is no issue like with certificates where your credentials can be abused for up to 12 months. The only use I could see is as an alternative mechanism to transfer these records into the application that does not require a clean DNS transport. I think CT is a bandaid for PKIX that does not apply to DANE. I think the problem with DANE/DNSSEC right now is the additional latency and dns transport issues (hotspots, VPN, etc) but I don't think CT is very well suited to address those. Paul
- [therightkey] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Tony Finch
- Re: [therightkey] [dane] DANE and CT Warren Kumari
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Tom Ritter
- Re: [therightkey] [dane] DANE and CT Tony Finch
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Tom Ritter
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Carl Wallace
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Frederico A C Neves
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT Paul Hoffman
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Danny McPherson
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT Danny McPherson
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Hoffman
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT James Cloos
- Re: [therightkey] [dane] DANE and CT Ben Laurie