Re: [therightkey] [dane] DANE and CT
Ben Laurie <benl@google.com> Fri, 16 November 2012 11:23 UTC
Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF21221F84DD for <therightkey@ietfa.amsl.com>; Fri, 16 Nov 2012 03:23:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.906
X-Spam-Level:
X-Spam-Status: No, score=-102.906 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ShGNV1uL4pwQ for <therightkey@ietfa.amsl.com>; Fri, 16 Nov 2012 03:23:10 -0800 (PST)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 222B821F84D7 for <therightkey@ietf.org>; Fri, 16 Nov 2012 03:23:10 -0800 (PST)
Received: by mail-vb0-f44.google.com with SMTP id fc26so2977731vbb.31 for <therightkey@ietf.org>; Fri, 16 Nov 2012 03:23:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VyVjZGX1xf/YPBKCKB9aYoe6TiLuAuhNe3q4U+HVmfs=; b=AzeW2FladyRRDvs+VicQo0xXAP+YqLOwejlD4NFuBr8SfcZMrlbz74BuvHdmVMBnsp XgwjupbyJZUwJh52l4u68NK+1O3XqNOChkUAYlThrJzdUIhdqwx5xCShs3wQLgLNZ5PX Ljg7H+jzlaR5FP74b9D9TBBU6W6HRpWcHkH8A8PV2R38/yy3eswmv4cMx5+ZGjKSpL28 OaN5+OSlR8EJXzv5Bg0lCQM03r4+0v86UPkRLBD4TGitmQjLpleOHOUyZGvobFAN1VwR zYVh5EN66ZunB1dV+cp7dn27fRJf4chkjdcfHBkP56h+XImjYoH7uj9bxA7rtw00vlC+ HyiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=VyVjZGX1xf/YPBKCKB9aYoe6TiLuAuhNe3q4U+HVmfs=; b=PXT0Kbu/YRg4emU/Q+G4ln+BTA/9N13o343AaYs7ABsgowXRWgo8QS6/fN9RytY53k RZB0WTLbPS8UUiK/WjzMnZHNn7v5Z2nChD9h1HzLM8ouyGrjfsfJTB+e/Kb4tCudBIju pnDTJfnlCfJpJ16NfIPY5jmvB/kJNoghmnIrFam3+qI6prqxJGTb+IX/tqAE5kLNUD6f gvR53L3N9/SIQMb2zPCCYFhsgq/TBQ/K6H1AdxIHiuL+Il34vw7Y9CZT0tich+zV3ae5 pMKb4TZ1gIXrF2qDDaQrfnruvGTYRuIhtvH9Jmjup3VASi6ADviFc+Y5Sz65pl73QIwf KO+A==
MIME-Version: 1.0
Received: by 10.52.100.5 with SMTP id eu5mr5152075vdb.34.1353064989438; Fri, 16 Nov 2012 03:23:09 -0800 (PST)
Received: by 10.220.228.6 with HTTP; Fri, 16 Nov 2012 03:23:09 -0800 (PST)
In-Reply-To: <alpine.LFD.2.02.1211151501490.17666@bofh.nohats.ca>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com> <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca> <CABrd9SSv7vfxOhogGmYSWC8hROyXL_z4TJC8mxNMW-apSg5Y0Q@mail.gmail.com> <alpine.LFD.2.02.1211151501490.17666@bofh.nohats.ca>
Date: Fri, 16 Nov 2012 11:23:09 +0000
Message-ID: <CABrd9SQPg+5CJk_Quv3J_kOedd+NeDc2aqregdcbWnZofjb8kg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQnEYfw5AjzJKPbLJHAcqbc6LlsFaXoPPI5G+QlJH4Iwb9qfMMOxtU6xWomoMb/V2jbgr1TVAsH5FxsBH/bfe/6+aF9gVPCrOqdkEWoSFugEIDIM7m1jvnTIAImYAamJya1RoJ3DJldFp61CxE8kFf/uR1l5UduMYj2+i77dH28LzkH3sMu7BdHlHqU4TGMvOCsWo8yj
Cc: Tony Finch <dot@dotat.at>, therightkey@ietf.org, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 11:23:11 -0000
On 15 November 2012 20:10, Paul Wouters <paul@nohats.ca> wrote: > On Wed, 14 Nov 2012, Ben Laurie wrote: > >>> I think CT is a bandaid for PKIX that does not apply to DANE. >>> >>> I think the problem with DANE/DNSSEC right now is the additional latency >>> and dns transport issues (hotspots, VPN, etc) but I don't think CT is >>> very well suited to address those. >> >> >> a) Why would an attacker use your validity times? > > > Because there are DNSSEC keys to back the time slots used, and > without it, the data can and should be rejected. This argument is circular: clearly if no-one ever gets control of keys for your domain, you don't have a problem. Validity times are irrelevant. If someone does get control, they control validity times, no? >> b) Weren't you amongst those asking for CT to support DANE during the BoF? > > I wanted CT to not exclude DANE, and thereby enforcing an artificial TLS > certificate market where I have to pay $10-$150 a year to be "accepted" > in browsers via CT. What I understood was that browser vendors that > were looking at CT and DANE would specifically not be supoprted. The > first thought was to have a DANE backed CT that could be configured, > purely to get the DANE information (valid key + TTL/RRSIG info) into > the browsers that don't support or want to support DNSSEC (chains). > > But the DANE/DNSSEC information does not need an publicly shared audit > log. Its current up to date validity is available in the DNS at all > times, cached and distributed. You have a lot of faith in a mechanism that is not designed to provide a globally consistent view. How does DNS prevent bad actors from showing local views of the DNS? (Hint: it doesn't). This is precisely what CT does, and is exactly the value it adds to this kind of system. As for CT vs DANE, it is precisely because DNS does not provide a robust infrastructure that DANE cannot be allowed to override CT. This can be fixed by making DANE use some kind of equivalently strong transparency. I agree with others that this is probably better applied to DS records than to TLSA records. > > Paul
- [therightkey] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Tony Finch
- Re: [therightkey] [dane] DANE and CT Warren Kumari
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Tom Ritter
- Re: [therightkey] [dane] DANE and CT Tony Finch
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Tom Ritter
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Carl Wallace
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Frederico A C Neves
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT Paul Hoffman
- Re: [therightkey] [dane] DANE and CT Shumon Huque
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Danny McPherson
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT Danny McPherson
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Ben Laurie
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Wouters
- Re: [therightkey] [dane] DANE and CT Paul Hoffman
- Re: [therightkey] [dane] DANE and CT Phillip Hallam-Baker
- Re: [therightkey] [dane] DANE and CT James Cloos
- Re: [therightkey] [dane] DANE and CT Ben Laurie