IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Nico Williams <nico@cryptonector.com> Wed, 18 April 2018 21:10 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFF92126C3D for <tls@ietfa.amsl.com>; Wed, 18 Apr 2018 14:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id enj-2850Q0FP for <tls@ietfa.amsl.com>; Wed, 18 Apr 2018 14:09:58 -0700 (PDT)
Received: from homiemail-a49.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5FCB126CD6 for <tls@ietf.org>; Wed, 18 Apr 2018 14:09:58 -0700 (PDT)
Received: from homiemail-a49.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a49.g.dreamhost.com (Postfix) with ESMTP id 4DE3768024A4A; Wed, 18 Apr 2018 14:09:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=WOYAj84THB8xLx dF3BwXbxBI7ZE=; b=mig9LWpltryY3gNJ7j3HggJv2YYjsh2onee+QF1Ayg/RPy UvgNTMJxsiG0ja/VqT2R39MOt0aJ85fbesmDwJsRyVYc4FzP7PUiMmTKcpVmmoV4 l/zHTKtOCeumPZhs4KzjfszadMxl+euXqYGFpVL9N7cvPoDlMhCPG6JDXJf+w=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a49.g.dreamhost.com (Postfix) with ESMTPSA id 01C1868024A42; Wed, 18 Apr 2018 14:09:57 -0700 (PDT)
Date: Wed, 18 Apr 2018 16:06:16 -0500
From: Nico Williams <nico@cryptonector.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: TLS WG <tls@ietf.org>
Message-ID: <20180418210615.GF25259@localhost>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <CAOgPGoCbHzuAZra5+i647gtLbR9ZV0-nEE+A7K6e8cUMNjNYtA@mail.gmail.com> <alpine.LRH.2.21.1804181640480.29344@bofh.nohats.ca> <CAL02cgSQbvyXuekd7x_g0DHcxYmfsydKXGDs6EQwuX5ScPYucQ@mail.gmail.com> <81405A7A-B7DC-45B1-8F7C-B96D3FD121AE@dukhovni.org> <CAL02cgQAA6ktnkPwaCKsrzi9tYrs3ELcW6KG=UfM43iO5smdEA@mail.gmail.com> <BBFCA54E-3059-48A8-AB5C-60F1BACA3F3A@dukhovni.org> <CAL02cgRNeX93g0VhSrdAs8bX5nxC9HxyK_9n-wKzZQo=pynNhw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgRNeX93g0VhSrdAs8bX5nxC9HxyK_9n-wKzZQo=pynNhw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fSaT7m05ahyq_ZCZjxy367XC4rc>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2018 21:10:02 -0000

On Wed, Apr 18, 2018 at 05:01:54PM -0400, Richard Barnes wrote:
> On Wed, Apr 18, 2018 at 4:56 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> > > On Apr 18, 2018, at 4:52 PM, Richard Barnes <rlb@ipv.sx> wrote:
> > >
> > > Secondary point.  Still don't think we should deliberately include
> > undefined fields, e.g., because part of the discussion is whether 16 bits
> > is the right size.
> >
> > 16 bits is clearly enough.  If the units are hours that gets you ~7.5
> > years.  Pinning for less than an hour is pointless, it then becomes smaller
> > than typical DNS TTLs for the TLSA  RRset the client got previously, which
> > it can cache without any pinning.
> >
> > Pinning for more than 7.5 years is absurd, it only protect clients that
> > connect less than twice per decade...
> 
> 640k should be enough for anyone.

That's just silly.  Really, 7.5 years (relative, not absolute) measured
in hours is plenty good enough, and more than outlives current device
obsolescence.  This isn't subject to Moore's law or anything like it.

> `preload`?  `includeSubdomains`?  Experience with HSTS and HPKP shows you
> need more than an integer.

No, we need none of those things.  We want only to pin the presence of
this extension.  Anything else would be operationally difficult (as seen
with HPKP).  As to subdomains, we're willing to live with TOFU semantics
for all of them.

Nico
--

v2.15.0 | Report a Bug | By Email