Re: [Trans] DNSSEC also needs CT

Nico Williams <nico@cryptonector.com> Thu, 22 May 2014 21:24 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE0F51A02DE for <trans@ietfa.amsl.com>; Thu, 22 May 2014 14:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tvj1PWBqDKYG for <trans@ietfa.amsl.com>; Thu, 22 May 2014 14:24:11 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 724331A0283 for <trans@ietf.org>; Thu, 22 May 2014 14:24:11 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTP id 44D5D2007F005 for <trans@ietf.org>; Thu, 22 May 2014 14:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=V5e1aKLBo4y6GJN3B+KF v0pGq7o=; b=ytkehfbvg8yEEWQK3TMs+CL8mO7mxDX4xSveTnXVeoMCJu1L3wod N3XJNFLarJ5zLUQtNnv23M61qZgbKhKgwWWmFKohKKi/ImZUhHm+0SxSg1GNcSgu gemm3Fo7LrnZIi1vsC+Bxy/09lOuIaLSpFutOgrlE8MeeQ/oXPXKC7g=
Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTPSA id E83B22007F004 for <trans@ietf.org>; Thu, 22 May 2014 14:24:09 -0700 (PDT)
Received: by mail-wg0-f45.google.com with SMTP id m15so3904237wgh.28 for <trans@ietf.org>; Thu, 22 May 2014 14:24:08 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.186.8 with SMTP id fg8mr18488693wic.39.1400793848812; Thu, 22 May 2014 14:24:08 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Thu, 22 May 2014 14:24:08 -0700 (PDT)
In-Reply-To: <537E467C.7010405@bbn.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <537E3229.4070402@bbn.com> <CAMm+Lwjbi5t7Efgyf4cNdh-2=DqbeSE4xgxf3TchPZBAyERwug@mail.gmail.com> <537E3E17.8000901@bbn.com> <CAK3OfOgE-0jhSfPBn+EoWw5CJx+jLU6vcKC3k=3NHGNkTDouAw@mail.gmail.com> <537E467C.7010405@bbn.com>
Date: Thu, 22 May 2014 16:24:08 -0500
Message-ID: <CAK3OfOjJKQ4f5dzb6dRZ46e2szq1mUyygm1Me+nvx2vJeC6K6g@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/lkq9VpK8Q8b7WPs6vz5PaPn7bKY
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2014 21:24:12 -0000

On Thu, May 22, 2014 at 1:48 PM, Stephen Kent <kent@bbn.com> wrote:
>> > That's a very confusing last phrase.
>>
>> I had no problem reading it.
>>
> a literal reading of it is as sarcasm. If that's PHB's intent, fine, but
> I just wanted to verify that there was no typo.

I saw no sarcasm in it.

>> In other words, your concern is about CT in general, not DNSSEC in
>> particular.  Sounds like a separable issue to me. But if CT makes sense then
>> it makes sense for DNSSEC.
>>
> yes, my complaint about a lack of a doc describing CT architecture is not
> specific to the CT for DNSSEC discussion.

We agree.

> CT may be appropriate for the Web PKI, w/o being a great idea for DNSSEC.

I take it you concede that lack of name constraints isn't the only
reason to want CT.

I'll concede that CT for DNSSEC might not be a good idea.  Did I ever
say it is?  I started the discussion with an inference: CT is for
PKIs, DNSSEC is a PKI, therefore CT fits DNSSEC, discuss.

> Until we have a doc that describes the architecture, we can't evaluate how
> good
> it is in either context.

We have a doc; it's missing important things.  I agree.  But I think
we can have some of this discussion given what we know now.  Indeed,
we've been having this discussion, and important things have come up
(privacy protection, spam).

Nico
--