Re: [therightkey] [dane] DANE and CT
Frederico A C Neves <fneves@registro.br> Wed, 14 November 2012 18:49 UTC
Return-Path: <fneves@registro.br>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45C4E21F8626; Wed, 14 Nov 2012 10:49:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ei4wsYCdJxfo; Wed, 14 Nov 2012 10:49:02 -0800 (PST)
Received: from clone.registro.br (clone.registro.br [IPv6:2001:12ff:0:2::4]) by ietfa.amsl.com (Postfix) with ESMTP id 8780421F8622; Wed, 14 Nov 2012 10:49:02 -0800 (PST)
Received: by clone.registro.br (Postfix, from userid 1000) id 27B25E0446; Wed, 14 Nov 2012 16:48:59 -0200 (BRST)
Date: Wed, 14 Nov 2012 16:48:59 -0200
From: Frederico A C Neves <fneves@registro.br>
To: Ben Laurie <benl@google.com>
Message-ID: <20121114184859.GB18212@registro.br>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com> <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca> <CABrd9SSv7vfxOhogGmYSWC8hROyXL_z4TJC8mxNMW-apSg5Y0Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABrd9SSv7vfxOhogGmYSWC8hROyXL_z4TJC8mxNMW-apSg5Y0Q@mail.gmail.com>
X-Mailman-Approved-At: Wed, 14 Nov 2012 13:26:00 -0800
Cc: therightkey@ietf.org, Paul Wouters <paul@nohats.ca>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 18:49:03 -0000
On Wed, Nov 14, 2012 at 04:35:31PM +0000, Ben Laurie wrote: > On 14 November 2012 16:30, Paul Wouters <paul@nohats.ca> wrote: > > On Wed, 14 Nov 2012, Ben Laurie wrote: ... > >>> What problem would CT for DANE be aiming to fix? > >> > >> > >> By all means add that to the list of questions :-) > >> > >> But I assume the same problem CT already fixes: misissuance of certs > >> (which in the DNSSEC world I guess mostly boils down to bad > >> delegation). > > > > > > Does that make sense though? With RRSIG validity times and TTL's you > > can set your "damange period" as small as you want. There is no issue > > like with certificates where your credentials can be abused for up to > > 12 months. > > > > The only use I could see is as an alternative mechanism to transfer these > > records into the application that does not require a clean DNS transport. > > > > I think CT is a bandaid for PKIX that does not apply to DANE. > > > > I think the problem with DANE/DNSSEC right now is the additional latency > > and dns transport issues (hotspots, VPN, etc) but I don't think CT is > > very well suited to address those. > > a) Why would an attacker use your validity times? What do you mean? What is your attack scenario? This thread quickly starts to move to a marshy soil. Fred
- [therightkey] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Tony Finch
- Re: [therightkey] [dane] DANE and CT Warren Kumari
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Tom Ritter
- Re: [therightkey] [dane] DANE and CT Tony Finch
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Tom Ritter
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Carl Wallace
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Frederico A C Neves
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT Paul Hoffman
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Danny McPherson
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT Danny McPherson
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Hoffman
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT James Cloos
- Re: [therightkey] [dane] DANE and CT Ben Laurie