IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 09 April 2018 18:33 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A94E4129C51 for <tls@ietfa.amsl.com>; Mon, 9 Apr 2018 11:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3awR4CdGXYQH for <tls@ietfa.amsl.com>; Mon, 9 Apr 2018 11:33:26 -0700 (PDT)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C29F61273B1 for <tls@ietf.org>; Mon, 9 Apr 2018 11:33:25 -0700 (PDT)
Received: from [216.82.241.100] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-12.bemta-8.messagelabs.com id A2/50-20771-4F1BBCA5; Mon, 09 Apr 2018 18:33:24 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSe0hTcRTH97t3m9fH5DpnnkYSrSFlbcw0NCy ooHwVRRCWBHXN27bcpu1OWf2jYUWpha9JjtRRRvgoNC2zkkoJc0rD9WTYw9QoJUszTcPqbnf2 +O9zzvf7O+f8DofAxY+FUoI2m2ijgdLJhH58h/JSimKquTdVdfwsiv3scmKxk44CtBFLqK2dx RJmqrGdWKpAa0jLNB8QaKpvVWFZQ0nm2bZnKA+1bC1AfgSf/IxByd1HmDsQk+UYNJ504lzwBk HPlx9s4EsISRU87+jG3CwhN0LXC5vAzcFkEgyOn0JcPhmenrvsw3EO2OcKPMwn5TBl7/fUEZH 74O3Lx94GAwLomyrxmHzJTVDdXu5hRC6CGXujpxlOhoJruMbDQEpgsL9XyHEIfBz6KeD8+6Dq a6c3vwwq7zm9/jBw1hQidzMgWzH4PvYB5wQFfLFYvLwdbMVNAs7kRFBc9tqHEyKgo6OLFQiWM +BenYxLx0H+kycY56/FoaKl2etfAkXnS7yF3gjgWvO4Zy9iMh3K6xfGc+Bwsz+Q250UXj09g4 rRSus/P7Wy73GyBkH+/TFk9ewsCHoqh/mcKQIsV0e9vBTaPl3AOY6D83MPhBwvg/LCQR+O18L YwwlkQ0Q9WsHQxhzaqIhcp0wzatUak57S6hSRqlilnmYYSk3rqDRGeTBTfx2xt5XL46FbqOJO fCdaTGCyENHNot5UcWBaZvpRDcVo9huzdTTTiZYQhAxEAewNioOMtJo2H9Lq2ANdkIEIkElE4 W5ZxGRRekar5iQ7UhADraVFuJhvyDTQ0lBRiNtEuk2abMOfEgtn7kRh0mAR4vF44oAs2qjXmv 7XR1EogWTBohtNbJUArcH0p9MoOwTGDjF54JF7CBP1V5LmoTNH2m+n/lrle3tLYtLyd2UN33P W+L/qPubTuDumfT7lhtx1omFPW4F1Q0zCZMuuwxmro0Z4J+WuXMsAYw61P7NO7CjdG93ltyE6 vHC7Mnv/vF2RPuKIqgvmJ8vlm9Xxtm/vd0w3Xdl2+qLFz9VNpjBhlzdNr090XPJXJX5U941I3 sv4jIaKjMCNDPUb4wUO5OEDAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-9.tower-220.messagelabs.com!1523298803!200479645!1
X-Originating-IP: [207.46.163.87]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 14663 invoked from network); 9 Apr 2018 18:33:23 -0000
Received: from mail-bl2nam02lp0087.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (207.46.163.87) by server-9.tower-220.messagelabs.com with AES256-SHA256 encrypted SMTP; 9 Apr 2018 18:33:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ilh1sDrAcR2ibQ8f+mq0XKIPPcEDJOyke1DDc6uJ8dc=; b=oTdfzym0zMYzd/8AZFk7TebCdh096HV7w+QrEKUwewTiMdLO9RlOuQ/+776k5a9orfqnRgXttijPsDZmv7GmCGY0xbcPAmeTqK4n4I8NJtlbfmEzP1p+KVhu0bdOtK58E8xwHF9mZmGcF/y3MmEUd6TEWbApE0L2S34OUWm6GWM=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1744.namprd14.prod.outlook.com (10.171.147.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.653.12; Mon, 9 Apr 2018 18:33:22 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::ad66:bb50:b8e8:9dfd]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::ad66:bb50:b8e8:9dfd%17]) with mapi id 15.20.0653.015; Mon, 9 Apr 2018 18:33:22 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Paul Wouters <paul@nohats.ca>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
Thread-Index: AQHTzD153lXhdbKumEK21sHaP8VrkqPxQIwAgAAszYCAAAIWgIAAAgQA////TICAAAWaHv///XmAgAAHIICAAAITgIAAZ0gAgAbgLWA=
Date: Mon, 09 Apr 2018 18:33:22 +0000
Message-ID: <MWHPR14MB1376F7072DDDE11B423BD0A183BF0@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <EDB0F480-1272-4364-9A3D-23F9E1A02141@dukhovni.org> <CABkgnnWBdp=KtmBVDcrR9-5tdVPfhWG7pWR0FE57H=iWS37dWw@mail.gmail.com> <C52564E1-ABCD-4E1A-8517-19743BD2180B@dukhovni.org> <CABcZeBMcvtQ6Ko-2Rmoq3BSVBOqdQwJ65vVrPK0cpSJ9nQCS3w@mail.gmail.com> <20180405022007.GG25259@localhost> <CAL02cgSOQVZR96Veh7EEMCoQO7-+5ucdBiAUcAXGt6QFEopXNA@mail.gmail.com> <CAL02cgTQgpAGBv1+-2GTCPSgNDD5TMd0xQw8bQDpe9BiacBarA@mail.gmail.com> <20180405023106.GJ25259@localhost> <CABcZeBPcqLrSdAcJaeXKsLY6vzT1UquCdiQX0yHSBDoV0re7eA@mail.gmail.com> <CAL02cgTB3FsBYz5jjF2xbOWXSr38q3dVsi1Qo-Ptyhhzeh=60Q@mail.gmail.com> <alpine.LRH.2.21.1804050507100.22565@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1804050507100.22565@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [12.153.98.139]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1744; 7:RurQboqCsZURsWlanCDAzNl3Xr6g7eTp+H60dMvffSLRyWxpweaLSda4bFXXiHKXjvJp8p4dD/ESh8xLckSq+yZHvsgg3q8DbqBoB+Z+v+7j0163EEWd5JyZPsNCu75Cb/HFEfWWXRFsIEW6pZ9V4bIS9FEnmqWrgZMJMw58FXoPzidxyVpomrfChnBGPdNPJBKKpCTC1LTKoLWlmNU8oZI+1f/MEjD41rfdy1jIH+YYWaBNqgoN8ldhEcPPcO63
x-ms-exchange-antispam-srfa-diagnostics: SOS;
X-MS-Office365-Filtering-Correlation-Id: 694bf85d-8c95-492a-2a42-08d59e485fe1
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1744;
x-ms-traffictypediagnostic: MWHPR14MB1744:
x-microsoft-antispam-prvs: <MWHPR14MB17446157C29E84AFE02C074683BF0@MWHPR14MB1744.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231221)(944501327)(52105095)(3002001)(6041310)(20161123558120)(20161123564045)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:MWHPR14MB1744; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1744;
x-forefront-prvs: 0637FCE711
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(39860400002)(346002)(366004)(39380400002)(199004)(189003)(5660300001)(229853002)(53936002)(3280700002)(81156014)(6246003)(2906002)(2900100001)(8936002)(76176011)(446003)(59450400001)(476003)(6506007)(5250100002)(7696005)(486006)(11346002)(81166006)(8676002)(68736007)(110136005)(2501003)(6436002)(55016002)(9686003)(86362001)(99286004)(66066001)(93886005)(106356001)(102836004)(186003)(316002)(26005)(33656002)(478600001)(99936001)(7736002)(74316002)(97736004)(25786009)(14454004)(105586002)(305945005)(3660700001)(6116002)(3846002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1744; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: CuhJWpXsfJNOvUfPJyybxLZAXGV5PYo2VULPsXLrIWPnUmRisX0RxBX51DNTlimc0lCH6HAJRyS11JBJV+iXxN5NMpgbWM9e3lRkSSsgszBOxI/XMVdnPddXtf/Dp4hZSyIPoHH/Lf+7+AjMNwgpWbLEWWvIkOPiAFcAtJK1XVSTT3Dnlj/ZkUuQTbcysS7AsauVMZ5UvZjFuWEoKeMIFtHWclFs/x+MJcv4VZh0geFehR0NyiZ+P8EcdzH5ANMSrTXFlqwe5WuKOOik29nC7c56r1ScOaeY6Q6Vz93hGaWU0MG/Iif8hegaaWu0Li/FtF4waZpfsy9V5hhU3ZUVVuPJWpcBMuznCQqIWruDpigjFv85VMxugncIHrnRnkfFbCrhmaBj43prvrPCLPxyST7H85eQhP+u1WC73gYf2jE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0A2E_01D3D00F.B31E7180"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 694bf85d-8c95-492a-2a42-08d59e485fe1
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2018 18:33:22.4656 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1744
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RCQRN0be2rPEpW7i28Yju0TLNUA>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 18:33:28 -0000


> The webpki is changing dramatically. The amount of CAB/forum violations
> seems to be increasing, partially as a result of these violations getting
> exposed
> by certificate transparancy and perhaps partially because of the financial
> strain
> caused by the free LetsEncrypt.

Uniformed speculations that are just flat out wrong do not help anyone.

LetsEncrypt, if anything, has been a big help to the CA industry.  Both free 
and paid offerings are seeing significant growth.  Let's not spread FUD about 
"financial strain" that does not actually exist.  And furthermore, it's best 
not suggest hypothetical unproved ("seems to be") observations are caused by 
the previously mentioned cause that doesn't actually exist.  That's 
irresponsible.

Tools like cablint have actually contributed far more to improvements in the 
technical compliance of certificates from vendors who previously didn't adhere 
that closely to strict compliance with RFCs, CABF requirements, required 
certificate profiles, and so on.  CT is less responsible, as it is only 
required for EV (though many large CAs have voluntarily started logging all 
certificates).  Many bad certificates were still found the old fashioned way: 
by crawling for them.

There's an old story about an intelligence analyst who found a handful of 
suspicious structures in a remote desert.  More resources were assigned to 
figure out what they were.

A few months later, the number of structures was observed to be increasing 
rapidly.  More resources were assigned.

Pretty soon, new ones were found every day.  People started panicking, and 
someone was dispatched to investigate on the ground.

It turned out to be a kind of water condenser common in the region, and the 
increase in numbers was only because people had started looking for them. 
They had always been there, just no one paid attention to them.

The truth is that the increase in activity around problems with various 
certificates is because people are just paying far more attention to even the 
smallest, most obscure details of every issued web PKI certificate these days: 
far, far more than they did even just two or three years ago.

And that's a good thing, not a bad thing.  Progress is being made.  The 
certificates being issued by almost every CA out there are much technically 
cleaner than they  were when I first started doing CA things, maybe five years 
ago.

The Symantec swamp cleanup effort is also responsible for a significant 
fraction (the majority?) of recent reports.

-Tim

v2.23.0 | Report a Bug | By Email