IETF Logo Mail Archive

Re: [therightkey] [dane] DANE and CT

Paul Wouters <paul@nohats.ca> Wed, 14 November 2012 16:31 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A94921F85EB; Wed, 14 Nov 2012 08:31:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wR8pmpskohVS; Wed, 14 Nov 2012 08:31:15 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 27ACA21F85A5; Wed, 14 Nov 2012 08:31:15 -0800 (PST)
Received: by bofh.nohats.ca (Postfix, from userid 500) id A08DE82B69; Wed, 14 Nov 2012 11:30:31 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 970D4804AA; Wed, 14 Nov 2012 11:30:31 -0500 (EST)
Date: Wed, 14 Nov 2012 11:30:31 -0500
From: Paul Wouters <paul@nohats.ca>
To: Ben Laurie <benl@google.com>
In-Reply-To: <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com>
Message-ID: <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: Tony Finch <dot@dotat.at>, therightkey@ietf.org, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 16:31:15 -0000

On Wed, 14 Nov 2012, Ben Laurie wrote:

>>> At the CT BoF the question was raised: what about DANE?
>>>
>>> Which is a good question. So, I think Google is prepared to
>>> contemplate running a CT log for DANE, but this leaves some
>>> questions...
>>
>> What problem would CT for DANE be aiming to fix?
>
> By all means add that to the list of questions :-)
>
> But I assume the same problem CT already fixes: misissuance of certs
> (which in the DNSSEC world I guess mostly boils down to bad
> delegation).

Does that make sense though? With RRSIG validity times and TTL's you
can set your "damange period" as small as you want. There is no issue
like with certificates where your credentials can be abused for up to
12 months.

The only use I could see is as an alternative mechanism to transfer these
records into the application that does not require a clean DNS transport.

I think CT is a bandaid for PKIX that does not apply to DANE.

I think the problem with DANE/DNSSEC right now is the additional latency
and dns transport issues (hotspots, VPN, etc) but I don't think CT is
very well suited to address those.

Paul

v2.23.0 | Report a Bug | By Email