[Trans] DANE transparency
Richard Barnes <rlb@ipv.sx> Fri, 25 July 2014 15:59 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6261E1B2961 for <trans@ietfa.amsl.com>; Fri, 25 Jul 2014 08:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P--4XlG9X_dR for <trans@ietfa.amsl.com>; Fri, 25 Jul 2014 08:59:55 -0700 (PDT)
Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com [209.85.218.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D42531B295F for <trans@ietf.org>; Fri, 25 Jul 2014 08:59:54 -0700 (PDT)
Received: by mail-oi0-f48.google.com with SMTP id h136so3497290oig.35 for <trans@ietf.org>; Fri, 25 Jul 2014 08:59:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=VY5vi64yFQhCfh+XAo83pVS3SZZAuTUX5c7/XuHDV20=; b=EXMVWzbcZJJPhCTKtQJvoyE31PA39joUTiYYp0/H4pN1JPGw17K/HUSo42mKowiIqR K/KL1o6N6OtiKZBv3g63xGt3cE+1w2q67Fi7JrJ8SyogDjoFM0qSoH83PfL9+gERUr2j OeEmyA/iYiRwPNWsYVs28BAw/Oa01377zgBbx9KtWp94Mt1m3l3YnhgRoJ7Fi5g2+HDL tT1PKejahLaWvlGnVYTYMweFV62GN5/E7ZfxCgnk3mVQHW8hTqD/bJi8iSId989geyXj yYMxEtLVGVnIZT3DN0rwhdYbQ3uUV/wKWvoDO+s8VSInVgb99ouaKiLmCXPsLE2JWKN6 I6jA==
X-Gm-Message-State: ALoCoQkBpOeLBNtNDa5TbE13VfZJMsxFY2LTEu4E3imnE8uXrCp9GzppTGC8pWZZp5MaC5pGrcm8
MIME-Version: 1.0
X-Received: by 10.182.126.233 with SMTP id nb9mr24433955obb.46.1406303994007; Fri, 25 Jul 2014 08:59:54 -0700 (PDT)
Received: by 10.60.92.1 with HTTP; Fri, 25 Jul 2014 08:59:53 -0700 (PDT)
Date: Fri, 25 Jul 2014 11:59:53 -0400
Message-ID: <CAL02cgRx2vreekdqbO6m-o8vW46DeP3wvDdRm2V_-9ZeYtm+yw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: trans@ietf.org
Content-Type: multipart/alternative; boundary="001a11c1e550027d5904ff06aa3a"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/4MDQmTiUmHY29DT5mvhsYLJbc8U
Subject: [Trans] DANE transparency
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 15:59:56 -0000
I didn't get my thoughts put together in time to get to the mic in the meeting today, but here's roughly what I was going to say: tl;dr: Spam on CT logs is the only major problem to solve here, and protocol is probably not the way to solve it. Doing transparency for the whole of DNSSEC is an unsolvable problem. It's massive, like Wes pointed out, and littered with tautological pitfalls. I could imagine some form of "DNSSEC pinning" allowing subordinates to impose hysteresis on frequently-accessed domains, but going further than that quickly approaches the madness that Stéphane noted. Instead of focusing on the internals of DNSSEC, we should focus on the things that actually impact protocol, i.e., the TLSA records at the leaf. Normal CT is totally sufficient for these -- certs/pubkeys asserted in TLSA are still certs/pubkeys. If we need to change the syntax to capture things slightly differently, we should do that, but it seems straightforward. The only reason that chains are needed in CT is to defend against spam. With DANE, the potential spammer is the authority, so he can make as many spam domains as he wants. So the "DNSSEC chain" is useless for spam mitigation. It's all so possible that DANE-asserted certs will change more often, so again, we might want to tweak what's logged (e.g., to log the public key). Fairly minor change. We're left with the question of how to prevent spam. I'm not sure there's a protocol mechanism here. It seems like you could have a local policy at the log to, say, limit the rate of updates that are accepted. So I think we should: 1. Forget about solving DNSSEC transparency generally 2. Focus on getting CT ready for DANE 3. Identify any tweaks that are necessary to support DANE-asserted certs 4. Maybe write some guidelines for anti-spam --Richard
- [Trans] DANE transparency Richard Barnes
- Re: [Trans] DANE transparency Ben Laurie
- Re: [Trans] DANE transparency Phillip Hallam-Baker