Re: [Trans] DNSSEC also needs CT
Phillip Hallam-Baker <hallam@gmail.com> Sun, 11 May 2014 16:49 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9BC1A0267 for <trans@ietfa.amsl.com>; Sun, 11 May 2014 09:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yqyqbj5cE_Gs for <trans@ietfa.amsl.com>; Sun, 11 May 2014 09:49:51 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 085B31A0266 for <trans@ietf.org>; Sun, 11 May 2014 09:49:50 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id n12so5961180wgh.29 for <trans@ietf.org>; Sun, 11 May 2014 09:49:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OQ7mnFElna7D49wamo6ldIg2FFut26aUdbIpoNVK0H4=; b=shPnGhIdwPW075fuibfU0dIjG9MGCDTRUAuNKP//JS6yVYafnfzU4Xds2erf+7r13p JpgbTI6clCY/4AUTffSUouVvGmE3YCOt26sAuk0q+OORORLpJhJ6O3VwM0w9iIyskq+p YNn/AaOwzeWB2XCq8lylSoRnj+7C6Bj9U78SbGwRGbbUPj2hjFDdN7a9UwlcgtlJ4nJH m2eZ7piyU1BXutA4IJEQZrZMAS7nhFYwuxyq5esuAiKt3TCW98+FHMbUWNiXsKzHCFX1 Gh2aVCs92kd75vrR/YShXPW5h3xu1FhZXjEEqXpluBoEoSxCT4iTswlH2rUCI/8RqHlu 2b3A==
MIME-Version: 1.0
X-Received: by 10.194.92.81 with SMTP id ck17mr17829384wjb.14.1399826985006; Sun, 11 May 2014 09:49:45 -0700 (PDT)
Received: by 10.194.157.9 with HTTP; Sun, 11 May 2014 09:49:44 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.10.1405111136110.31230@bofh.nohats.ca>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <536F8BC4.5070405@fifthhorseman.net> <CAMm+LwjKDvi22SHLRDuEq=v4BXsD1_EyvCeuUxZBk7YDcLpr8w@mail.gmail.com> <alpine.LFD.2.10.1405111136110.31230@bofh.nohats.ca>
Date: Sun, 11 May 2014 12:49:44 -0400
Message-ID: <CAMm+LwiPXRPJKFYQqRw6eTf-_pEjS5AbkWP8LSk0bwi-4t2esw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/ULWQgRBXCL04qx_pfF_UstIf-jY
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 May 2014 16:49:52 -0000
On Sun, May 11, 2014 at 11:37 AM, Paul Wouters <paul@nohats.ca> wrote: > On Sun, 11 May 2014, Phillip Hallam-Baker wrote: > >> It is probably fair to assume that CT logs will be maintained by CAs > > > That would be a non-starter for those people (let's call them the defcon > crowd) who are looking at dnssec as a way out of the trust in a handful > of CAs or TLD operators. As I went on to say: "It is probably fair to assume that CT logs will be maintained by CAs but it would be entirely practical for an open service to be established. The criteria are rather simpler to enforce than certificate issue." I don't see the CAs running CT logs as being necessarily exclusive. In particular, running a CT log does not require audit which is the difficult part of being a CA. The whole point of transparency is that the operation of the log does not need a trusted auditor with special access. Anyone can audit the operation of the log. Now what the non-CA application does call for is thinking through a lot more of the operation of the logs and how they are held accountable. >> The main question is what purpose a CT log for DNSSEC would serve. For >> me the value would be to protect my domain against having it stolen by >> ICANN. > > > Or any of the parental zones above your own zone. True and that concern has already been an issue with zones such as vb.ly which was grabbed back when the value of the zone was realized. -- Website: http://hallambaker.com/
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent