IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Paul Wouters <paul@nohats.ca> Thu, 05 April 2018 09:13 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E4551201FA for <tls@ietfa.amsl.com>; Thu, 5 Apr 2018 02:13:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4kSqLcMi-kM3 for <tls@ietfa.amsl.com>; Thu, 5 Apr 2018 02:13:51 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A300F1270AC for <tls@ietf.org>; Thu, 5 Apr 2018 02:13:47 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 40Gxvs3rhCz2C0 for <tls@ietf.org>; Thu, 5 Apr 2018 11:13:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1522919625; bh=gcZyHMPyR4Zv97gzgIF32AIxI1icf1n7vWSSTrXi9Ig=; h=Date:From:To:Subject:In-Reply-To:References; b=E0LgrO0FXEk5ngij0FiwwXpuQSYo2upcywBII4Z/KiO5WZ1Xv+CFuT2jID/gb84v7 AN24eqeHixwO2W6srqsXupHy0DylrbKrc+bF762+0Adb8jcQmraQQtQNGd7zSUYXqx sDC0wo0HdcrCj97mYMsdxZqwW9kOb80yUPliwaHo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Zkc1_0KVXBd5 for <tls@ietf.org>; Thu, 5 Apr 2018 11:13:43 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <tls@ietf.org>; Thu, 5 Apr 2018 11:13:43 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 4FFD93531DD; Thu, 5 Apr 2018 05:13:42 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 4FFD93531DD
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 46ED84095AB2 for <tls@ietf.org>; Thu, 5 Apr 2018 05:13:42 -0400 (EDT)
Date: Thu, 05 Apr 2018 05:13:42 -0400
From: Paul Wouters <paul@nohats.ca>
To: tls@ietf.org
In-Reply-To: <CAL02cgTB3FsBYz5jjF2xbOWXSr38q3dVsi1Qo-Ptyhhzeh=60Q@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1804050507100.22565@bofh.nohats.ca>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <EDB0F480-1272-4364-9A3D-23F9E1A02141@dukhovni.org> <CABkgnnWBdp=KtmBVDcrR9-5tdVPfhWG7pWR0FE57H=iWS37dWw@mail.gmail.com> <C52564E1-ABCD-4E1A-8517-19743BD2180B@dukhovni.org> <CABcZeBMcvtQ6Ko-2Rmoq3BSVBOqdQwJ65vVrPK0cpSJ9nQCS3w@mail.gmail.com> <20180405022007.GG25259@localhost> <CAL02cgSOQVZR96Veh7EEMCoQO7-+5ucdBiAUcAXGt6QFEopXNA@mail.gmail.com> <CAL02cgTQgpAGBv1+-2GTCPSgNDD5TMd0xQw8bQDpe9BiacBarA@mail.gmail.com> <20180405023106.GJ25259@localhost> <CABcZeBPcqLrSdAcJaeXKsLY6vzT1UquCdiQX0yHSBDoV0re7eA@mail.gmail.com> <CAL02cgTB3FsBYz5jjF2xbOWXSr38q3dVsi1Qo-Ptyhhzeh=60Q@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fhVU_xDgqab9qCYGhQxPztXKqfw>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 09:13:53 -0000

On Thu, 5 Apr 2018, Richard Barnes wrote:

> And just to be clear, by "downgrade attack", you mean "normal PKI authentication that we rely on today".  There's nothing in here that degrades security

You mean other then LetsEncrypt destroying the ecosystem and leading to
a "one key to rule them all" situation?

The webpki is changing dramatically. The amount of CAB/forum violations
seems to be increasing, partially as a result of these violations getting
exposed by certificate transparancy and perhaps partially because of
the financial strain caused by the free LetsEncrypt. Allowing people to
deploy another PKI is not harmful - forcing people to stick with the
webpki could prove harmful.

> That doesn't mean there's not still some utility to be had. 

Your tls-extension use case can be supported regardless of the outcome
of this consensus call. That is not at stake today. Other people's valid
use cases are the ones that are at stake now.

Paul

v2.15.0 | Report a Bug | By Email