IETF Logo Mail Archive

Re: [TLS] raw public keys in the wild?

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 August 2018 21:15 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40A00130F09 for <tls@ietfa.amsl.com>; Thu, 23 Aug 2018 14:15:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrQQYrsV_xaB for <tls@ietfa.amsl.com>; Thu, 23 Aug 2018 14:15:10 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CDA1130E20 for <tls@ietf.org>; Thu, 23 Aug 2018 14:15:10 -0700 (PDT)
Received: from [10.200.0.109] (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id C28D41BEFF for <tls@ietf.org>; Thu, 23 Aug 2018 17:15:09 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAL02cgTnmJnz5sNLDC8bJ5R0pfPsAUqudmTCZ+_Dm_5G2p2=zw@mail.gmail.com>
Date: Thu, 23 Aug 2018 17:15:06 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: tls@ietf.org
Message-Id: <5D210DCA-F9AF-4B2F-BD26-13877E174DFE@dukhovni.org>
References: <A51CF46A-8C5F-4013-A4CE-EB90A9EE94CA@akamai.com> <E6C9F0E527F94F4692731382340B337804AEFB10@DENBGAT9EH2MSX.ww902.siemens.net> <D5FF0E0E-F9C3-4843-AB77-19F45E3C00D5@akamai.com> <8A2746A8-6B41-45C3-9D77-6AF3536C6E2D@siemens.com> <DM5PR2201MB1433B9D7F9AA3B7B688CD33C99310@DM5PR2201MB1433.namprd22.prod.outlook.com> <CAPt1N1mm9FzGknCUTOVZH_S=AsjutXS8qM7Ksa8xWwsSKKAgAg@mail.gmail.com> <EC6705A4-A6CB-45B4-B006-FC0AE42FA6DD@dukhovni.org> <CABcZeBO8tBN4a4SZirxbwNdRyep705dNgGZiuKydg=xu1JT_uQ@mail.gmail.com> <3321850E-D95E-457C-A574-2A1A3F7AC06C@dukhovni.org> <1534902946308.39422@cs.auckland.ac.nz> <20180822030846.GN28851@straasha.imrryr.org> <1534913286161.86694@cs.auckland.ac.nz> <CAL02cgTnmJnz5sNLDC8bJ5R0pfPsAUqudmTCZ+_Dm_5G2p2=zw@mail.gmail.com>
To: tls@ietf.org
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KsMGcdZ-_Aj-3MUl1bX0O1eYre4>
Subject: Re: [TLS] raw public keys in the wild?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Aug 2018 21:15:12 -0000


> On Aug 23, 2018, at 5:07 PM, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Since we're talking about bare public keys / not verifying certificates again, a brief reminder:
> 
> https://tools.ietf.org/html/draft-barnes-dane-uks-00

Yes, what do you want to do with that draft?  The conclusions for
HTTPS are correct.  For SMTP, UKS surely does not apply, one can
already direct one's SMTP traffic to a different server by just
pointing MX records there...  Ditto for protocols that use SRV
indirection.

So I'd support moving that forward, but perhaps with a more
nuanced set of conditions on when host name checks must not
be skipped.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email