Re: [Trans] DANE transparency
Ben Laurie <benl@google.com> Mon, 28 July 2014 19:15 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09B811B28B6 for <trans@ietfa.amsl.com>; Mon, 28 Jul 2014 12:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.38
X-Spam-Level:
X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GVFEauQRXN3M for <trans@ietfa.amsl.com>; Mon, 28 Jul 2014 12:15:27 -0700 (PDT)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F3E91B28A6 for <trans@ietf.org>; Mon, 28 Jul 2014 12:15:26 -0700 (PDT)
Received: by mail-ie0-f182.google.com with SMTP id y20so7217281ier.27 for <trans@ietf.org>; Mon, 28 Jul 2014 12:15:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=FBYauZeCsSoFoo0m7U6XLvrApZekeaN81xSRWmrq3lo=; b=bHJb4NTRL1tp1Ka1sixJ8+IkT2KDUGOjlbqbUCkTy2RyWXn+WYslNq9ztDxs0YNgNl wiIMoa7Cu3aKe7oB1UJR6OKCdn+6IS31rxUeGVLM3lLBE34pmFlcQM4VXYlI6uOIykZq qu6WVvINIJv6n2k5ruIaXm2FzNlP6VSfGTWWrkMRbdv6QZAs2AVTJt7aAmUyPvSzl4Xp k5DoJOs+vyD2xPXqJR0hM759AY9g9ROiPeU6LskUQSYvFBaswXMieIObRB75H6tDYpDp ENRy+d7KEdy2cl2+HtFRUGzQOJ1TYVRjXVPvDas5heAkr6JMaUjds/k3yYjXb5HHx+Q3 5zBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=FBYauZeCsSoFoo0m7U6XLvrApZekeaN81xSRWmrq3lo=; b=B3ctPZYlLlD/znkjhy4QAl4619lcAxUNiDwUILA2TRyAn4phARG4ILorfAF0ePCk2/ 9/4c1XX9qTX/vUEPmzwnnxfv8MU4j3Bz6pld2D8zpeNYyPkBo9SEW64reQ670hKkW1NL XWFHZoY4RasTrMWkn2RPtAQjQQC6PEmvnskWf3NLhHwj8JiDbMxyHJcz6kr5+lQZINKY FvnXsjJKtKkhyVve0YHwu/Tk1DW1BU6Y+82Rn2od1a8ucjHV2XRWpdCLIIfMFmB6e53K Y4OFvgRti9t8gPrCTTe0EZqhEr4CqPagrJtvZ0fvNINSY2qjixteMtQTtWLvuFGlouVT JZyA==
X-Gm-Message-State: ALoCoQn2+7XiP3e7Vjuq2NscE7FZKQASNCSfwgrw3yzL0myv2x2Ium39lZsx373KgRoG74pJPeKj
MIME-Version: 1.0
X-Received: by 10.50.56.38 with SMTP id x6mr35385068igp.30.1406574926281; Mon, 28 Jul 2014 12:15:26 -0700 (PDT)
Received: by 10.64.97.65 with HTTP; Mon, 28 Jul 2014 12:15:26 -0700 (PDT)
In-Reply-To: <CAL02cgRx2vreekdqbO6m-o8vW46DeP3wvDdRm2V_-9ZeYtm+yw@mail.gmail.com>
References: <CAL02cgRx2vreekdqbO6m-o8vW46DeP3wvDdRm2V_-9ZeYtm+yw@mail.gmail.com>
Date: Mon, 28 Jul 2014 15:15:26 -0400
Message-ID: <CABrd9SQhehQKEq_+kssA4PjfZgkm_FTJGnozBeR9LfGEKHug+Q@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/moTFSYjPUr62_0VMW6j1IIl5IFw
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] DANE transparency
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 19:15:28 -0000
On 25 July 2014 11:59, Richard Barnes <rlb@ipv.sx> wrote: > I didn't get my thoughts put together in time to get to the mic in the > meeting today, but here's roughly what I was going to say: > > tl;dr: Spam on CT logs is the only major problem to solve here, and protocol > is probably not the way to solve it. > > Doing transparency for the whole of DNSSEC is an unsolvable problem. It's > massive, like Wes pointed out, and littered with tautological pitfalls. I > could imagine some form of "DNSSEC pinning" allowing subordinates to impose > hysteresis on frequently-accessed domains, but going further than that > quickly approaches the madness that Stéphane noted. > > Instead of focusing on the internals of DNSSEC, we should focus on the > things that actually impact protocol, i.e., the TLSA records at the leaf. > Normal CT is totally sufficient for these -- certs/pubkeys asserted in TLSA > are still certs/pubkeys. If we need to change the syntax to capture things > slightly differently, we should do that, but it seems straightforward. > > The only reason that chains are needed in CT is to defend against spam. > With DANE, the potential spammer is the authority, so he can make as many > spam domains as he wants. So the "DNSSEC chain" is useless for spam > mitigation. It's all so possible that DANE-asserted certs will change more > often, so again, we might want to tweak what's logged (e.g., to log the > public key). Fairly minor change. > > We're left with the question of how to prevent spam. I'm not sure there's a > protocol mechanism here. It seems like you could have a local policy at the > log to, say, limit the rate of updates that are accepted. > > So I think we should: > 1. Forget about solving DNSSEC transparency generally > 2. Focus on getting CT ready for DANE > 3. Identify any tweaks that are necessary to support DANE-asserted certs > 4. Maybe write some guidelines for anti-spam Two points: 1. In the limit, is there really a noticable difference between doing transparency for DANE and doing transparency for all of DNSSEC? 2. DNSSEC surely exists for reasons other than to secure TLSA records. I therefore don't buy that there's no point to making the rest of DNSSEC transparent. Which is not to say that a DANE-specific transparency project isn't worth pursuing, but I don't think doing so removes the value of a general DNSSEC transparency project.
- [Trans] DANE transparency Richard Barnes
- Re: [Trans] DANE transparency Ben Laurie
- Re: [Trans] DANE transparency Phillip Hallam-Baker