Re: [Trans] EXTERNAL: DNSSEC also needs CT
"Mehner, Carl" <Carl.Mehner@usaa.com> Fri, 09 May 2014 21:58 UTC
Return-Path: <prvs=020612e9e0=carl.mehner@usaa.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 120831A010D for <trans@ietfa.amsl.com>; Fri, 9 May 2014 14:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.552
X-Spam-Level:
X-Spam-Status: No, score=-7.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaN9I41GCWm0 for <trans@ietfa.amsl.com>; Fri, 9 May 2014 14:58:41 -0700 (PDT)
Received: from prodomx03.usaa.com (prodomx03.usaa.com [167.24.101.121]) by ietfa.amsl.com (Postfix) with ESMTP id 483781A00BF for <trans@ietf.org>; Fri, 9 May 2014 14:58:41 -0700 (PDT)
Received: from pps.filterd (prodomx03.usaa.com [127.0.0.1]) by prodomx03.usaa.com (8.14.5/8.14.5) with SMTP id s49LwHxs018830; Fri, 9 May 2014 16:58:35 -0500
Received: from prodexch05w.eagle.usaa.com (prodexch05w.eagle.usaa.com [10.70.40.23]) by prodomx03.usaa.com with ESMTP id 1kka2237tm-1; Fri, 09 May 2014 16:58:34 -0500
Received: from PRODEXCH09W.eagle.usaa.com (10.70.40.35) by PRODEXCH05W.eagle.usaa.com (10.70.40.23) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 9 May 2014 16:58:34 -0500
Received: from PRODEXMB01W.eagle.usaa.com ([169.254.1.164]) by PRODEXCH09W.eagle.usaa.com ([10.70.40.35]) with mapi id 14.03.0158.001; Fri, 9 May 2014 16:58:34 -0500
From: "Mehner, Carl" <Carl.Mehner@usaa.com>
To: Nico Williams <nico@cryptonector.com>, "trans@ietf.org" <trans@ietf.org>
Thread-Topic: EXTERNAL: [Trans] DNSSEC also needs CT
Thread-Index: AQHPa84KI9PZzmYM/EislSNGZSjevZs4y1ag
Date: Fri, 09 May 2014 21:58:34 +0000
Message-ID: <19075EB00EA7FE49AFF87E5818D673D41110CD50@PRODEXMB01W.eagle.usaa.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com>
In-Reply-To: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.122.15.114]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Direction: FromExch
X-Proofpoint-Direction: Internet
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96, 1.0.14, 0.0.0000 definitions=2014-05-09_08:2014-05-09,2014-05-09,1970-01-01 signatures=0
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/NlXXQvKVeN2gpVnYqL4BXfFkBtc
Subject: Re: [Trans] EXTERNAL: DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 May 2014 21:58:48 -0000
RFC6698 says: >This chain is required to prevent a CA from avoiding blame > by logging a partial or empty chain. (Note: This effectively > excludes self-signed and DANE-based certificates until some mechanism > to control spam for those certificates is found. The authors welcome > suggestions.) I propose: To have a DANE certificate (not signed by a public CA) included into a CT log: 1) a pre-certificate be created 2) the pre-certificate submitted to a log 3) the log will verify based on a valid DANE record of type PKIX-EE 4) return a SCT to the submitter to include in the final certificate Carl Mehner 210.416.0942 Info Security -----Original Message----- From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Nico Williams Sent: Friday, May 09, 2014 4:31 PM To: trans@ietf.org Subject: EXTERNAL: [Trans] DNSSEC also needs CT DNSSEC is a PKI [of sorts; please, no need to pick nits about that]. It stands to reason that DNSSEC should have similar trust problems as PKIX. I believe it does indeed. It follows that things like CT that we're applying to PKIX should be applied to DNSSEC as well, where possible. I don't see any reason why CT couldn't be extended to DNSSEC. IMO, it should be done. Note that DNSSEC needs CT independently of protocols like DANE, but any protocol that allows a DNSSEC MITM to bypass PKIX CT (as DANE effectively does) should increase the need for CT for DNSSEC. Note too that I'm not in any way saying that DANE and similar should block on CT for DNSSEC. Sincerely, Nico -- _______________________________________________ Trans mailing list Trans@ietf.org https://www.ietf.org/mailman/listinfo/trans
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent