[therightkey] DANE and CT

Ben Laurie <benl@google.com> Wed, 14 November 2012 15:48 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C362021F865D for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 07:48:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.826
X-Spam-Level:
X-Spam-Status: No, score=-102.826 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWkmSA8mX0pI for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 07:48:23 -0800 (PST)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 3970421F8651 for <therightkey@ietf.org>; Wed, 14 Nov 2012 07:48:23 -0800 (PST)
Received: by mail-vb0-f44.google.com with SMTP id fc26so625826vbb.31 for <therightkey@ietf.org>; Wed, 14 Nov 2012 07:48:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=LOfCzzh4wkPSUhMbYcpEb2lHWUZsdW/aCI7JLU0iMBs=; b=KJKwfTnsZMaPTvVEWCzrMDHpAgZw0l9CnZDqMgFpb7o0+AIkWwYDCYABfHQ7gvGtbE 90JcWjAGBi64W4tw4tvGGrtoCzs7iLXJxOYGgm1m+aMn/5Rjrj6JA4f/QBiwmluUrk0Z mKnXKOMROAWJh62MrO7pKWcolOTrKaaOuNF06XjoBJHleUjPG8RrV44kGPnleNi6Fibj auts2Nzn9UEApjG6BBdH0o3PINWaTmPxr9ZopyqjkfavDSSfhwKzlcq0B5REYGvE6uUM OnhxdONOFVc8mJODiexM+IZxG9XmYqTcP2c0iKQjFGOu2rbN7lalqNAVND35Ptw7GNbG L9Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=LOfCzzh4wkPSUhMbYcpEb2lHWUZsdW/aCI7JLU0iMBs=; b=hBM2kiIu3IuKcGe76gPcvZW5H4fd7GPTjBUlPL1jf4soVLi9Xc1jNgb0bBzJMGNxv9 w+UFBVE9+LZxcIV/6Lfijr5FmfxISbxOlAEiNJXOYaHjkaCeU8XZ/ntXmO9qfRhr7WhY aHq+sj2qwfrX69ZfUSfDESi+tTRmFXJpjAkAWWZJhuIzIb3YnlGVnEDYpc+jFQ7KdsJ3 kBDihXP5noE1X3k3uZyTENkXLfmFDj74JiILnM+oy0vDCYJ+zceV/VkzFRQlTpF7zhSh WLtmVnmP58foXpf3JTjdAtNVkPFipvdfcoY/fF/jwoIIJ1CoyH+/Zl6rHI+9DPhtZvyG T+Og==
MIME-Version: 1.0
Received: by 10.220.155.132 with SMTP id s4mr11456480vcw.15.1352908102445; Wed, 14 Nov 2012 07:48:22 -0800 (PST)
Received: by 10.220.228.6 with HTTP; Wed, 14 Nov 2012 07:48:22 -0800 (PST)
Date: Wed, 14 Nov 2012 15:48:22 +0000
Message-ID: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: IETF DANE WG list <dane@ietf.org>, therightkey@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQlEiqacq3OyDGhN8M6DtSwCH+1pl7U/HQTgzxhtSnf0UPnC8BQs5eI5kWK3AQPKSR/4FbNyf3nLoqusyHjT2Ur/9v7EsrIK+KHeb30qTREFWsz2gdEn8LAf5LFyOfi6puFkQTAzoiVF9n7VkY9oEG9P5YMwbEKl8dqpVWRWVCsv0Wh7NT3qegqFc6rqenTLeTfUsFSQ
Subject: [therightkey] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 15:48:23 -0000

At the CT BoF the question was raised: what about DANE?

Which is a good question. So, I think Google is prepared to
contemplate running a CT log for DANE, but this leaves some
questions...

a) What would we log? DNSSEC keys as well as certs? Only DNSSEC keys?
Something else?

b) How do we prevent the log getting spammed out of existence as soon
as it becomes useful?

c) When someone observes badness in the log, what do they do about it?

I do not intend to drive the answers to these questions, but if
someone supplies them I will certainly consider running a DANE log.