IETF Logo Mail Archive

Re: [therightkey] [dane] DANE and CT

Ben Laurie <benl@google.com> Wed, 14 November 2012 17:07 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B76EF21F86C9 for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 09:07:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.884
X-Spam-Level:
X-Spam-Status: No, score=-102.884 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1fiI+S7p6pC for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 09:07:59 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id E4EE621F86A5 for <therightkey@ietf.org>; Wed, 14 Nov 2012 09:07:58 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id fl11so749901vcb.31 for <therightkey@ietf.org>; Wed, 14 Nov 2012 09:07:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HwILyQRrXBtL6Byx0W+CAPICoPjQVvZIQ4MmEwITe6k=; b=Ag1A4mOqDtmhn0WPFlxf4a09ShDkXvmVfrytXweckYDXqBdBxhlGORjDKgrfknsuIm oXINLjKXAmlkYywZcyaudZFpSgyMbRETfvtKGIWIvxo1KeWai8IKjoNEEr9H4RF4i9ix O9wnY/9ZjBSJ9lOay/Trz1yWebAHacijkd/uX0c7bVtwus9M/xThJ47ubICR9/jPjqeq IiM3VL1wM1VnBJ84g+TmDqgeI4F8Fln2KwfZ75GD8HR/utOpgNjLXG8GcUMPltPiB3po cUE92Exo5HO+lwPS5fDr4mCZ7wTWrrHWFbIwAE5UiQFTW4MmMW8VfU0xcXbHk6+MtuZM 2ihA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=HwILyQRrXBtL6Byx0W+CAPICoPjQVvZIQ4MmEwITe6k=; b=W8fHKLwn8YKyyaUn3cXmYPWohkajDOJ9j+acIA6LMHv3E7yZ0vH69QqAdPPeq0C2eN 8Y4F7zaYArxiceMGjyvZ2oc9EextV7DhwjdIXZL2z3cHw2k6dNwZif1FT6dhcKaKt9Z0 Mvb4tk+jIM4eGGw+ATeBGTXRMR1E1ZE+muLf1fGpaEeKpaiWDNtJloueKeI41HXxVZ5d 7+wsVXj78R0j8rHD8dg+DWrxX/K2gGKsBHXQ6AQ5LU9perJJ/MOAjbTwLaH5OETRr4vs icXQWeMCoQSkWg5uJa4ogKU6rtgvEUTEscLIGv88SxLtKNpHNQVgXSpahtX8xrH3W8F3 ddKQ==
MIME-Version: 1.0
Received: by 10.220.155.132 with SMTP id s4mr11792136vcw.15.1352912878344; Wed, 14 Nov 2012 09:07:58 -0800 (PST)
Received: by 10.220.228.6 with HTTP; Wed, 14 Nov 2012 09:07:58 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1211141640120.15409@hermes-1.csi.cam.ac.uk>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <212E2C13-CE98-43BB-B665-14DD18236F03@kumari.net> <alpine.LSU.2.00.1211141640120.15409@hermes-1.csi.cam.ac.uk>
Date: Wed, 14 Nov 2012 17:07:58 +0000
Message-ID: <CABrd9ST8duM=U-0g02yres_qEY5tnLY6dXLJzxcXiKYEqmiFNA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Tony Finch <dot@dotat.at>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQm4anWP2qtNCIsAWqKgHJ7rmEwAbIzuQUEk2fgQe6OJ5dBH8ul3NCzi2bp/jTrcSKJgNA3tWKrUITTnns0pFhREg+6JR5Knc2OzlS0v4zExggJxCtDyV5LtX587mWt8b9zeUjrAWTU8gFz7SmZzP7zSCvma5LthqZJl5TjxtK13yt0eUpen8iJn9TrKFH7EQBa43ehw
Cc: therightkey@ietf.org, Warren Kumari <warren@kumari.net>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 17:07:59 -0000

On 14 November 2012 17:02, Tony Finch <dot@dotat.at> wrote:
> Warren Kumari <warren@kumari.net> wrote:
>>
>> If I run example.com and someone managed to generate / publish a TLSA
>> record for that I'd sure like to know about it.
>
> Right. But in PKIX a mis-issued certificate has nothing to do with your
> own infrastructure, whereas with DANE it implies that your infrastructure
> (or the infrastructure of your DNS service providers) has been
> compromised.

Isn't the infrastructure of your DNS service providers nothing to do
with your own infrastructure? Not to mention your TLD's
infrastructure, and that of all of their registrars (and, presumably,
DNS service providers)?

> I'm a bit worried about the operational implications: PKIX CT is extra
> work for CAs, but DANE CT is extra work for everyone.

Only everyone who uses keys, and they've already signed up for quite a
lot of work.

> So I'm skeptical that the cost/benefit tradeoff is positive.

I am unconvinced by your argument.

>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
> occasionally poor at first.

v2.23.0 | Report a Bug | By Email