IETF Logo Mail Archive

Re: [therightkey] [dane] DANE and CT

Frederico A C Neves <fneves@registro.br> Wed, 14 November 2012 18:49 UTC

Return-Path: <fneves@registro.br>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45C4E21F8626; Wed, 14 Nov 2012 10:49:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ei4wsYCdJxfo; Wed, 14 Nov 2012 10:49:02 -0800 (PST)
Received: from clone.registro.br (clone.registro.br [IPv6:2001:12ff:0:2::4]) by ietfa.amsl.com (Postfix) with ESMTP id 8780421F8622; Wed, 14 Nov 2012 10:49:02 -0800 (PST)
Received: by clone.registro.br (Postfix, from userid 1000) id 27B25E0446; Wed, 14 Nov 2012 16:48:59 -0200 (BRST)
Date: Wed, 14 Nov 2012 16:48:59 -0200
From: Frederico A C Neves <fneves@registro.br>
To: Ben Laurie <benl@google.com>
Message-ID: <20121114184859.GB18212@registro.br>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com> <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca> <CABrd9SSv7vfxOhogGmYSWC8hROyXL_z4TJC8mxNMW-apSg5Y0Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABrd9SSv7vfxOhogGmYSWC8hROyXL_z4TJC8mxNMW-apSg5Y0Q@mail.gmail.com>
X-Mailman-Approved-At: Wed, 14 Nov 2012 13:26:00 -0800
Cc: therightkey@ietf.org, Paul Wouters <paul@nohats.ca>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 18:49:03 -0000

On Wed, Nov 14, 2012 at 04:35:31PM +0000, Ben Laurie wrote:
> On 14 November 2012 16:30, Paul Wouters <paul@nohats.ca> wrote:
> > On Wed, 14 Nov 2012, Ben Laurie wrote:
...
> >>> What problem would CT for DANE be aiming to fix?
> >>
> >>
> >> By all means add that to the list of questions :-)
> >>
> >> But I assume the same problem CT already fixes: misissuance of certs
> >> (which in the DNSSEC world I guess mostly boils down to bad
> >> delegation).
> >
> >
> > Does that make sense though? With RRSIG validity times and TTL's you
> > can set your "damange period" as small as you want. There is no issue
> > like with certificates where your credentials can be abused for up to
> > 12 months.
> >
> > The only use I could see is as an alternative mechanism to transfer these
> > records into the application that does not require a clean DNS transport.
> >
> > I think CT is a bandaid for PKIX that does not apply to DANE.
> >
> > I think the problem with DANE/DNSSEC right now is the additional latency
> > and dns transport issues (hotspots, VPN, etc) but I don't think CT is
> > very well suited to address those.
> 
> a) Why would an attacker use your validity times?

What do you mean? What is your attack scenario? This thread quickly
starts to move to a marshy soil.

Fred

v2.23.0 | Report a Bug | By Email