Re: [Trans] DNSSEC also needs CT

Stephen Kent <kent@bbn.com> Thu, 22 May 2014 18:48 UTC

Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3425D1A029D for <trans@ietfa.amsl.com>; Thu, 22 May 2014 11:48:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8pPaDK_p19u for <trans@ietfa.amsl.com>; Thu, 22 May 2014 11:48:45 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAED21A02B0 for <trans@ietf.org>; Thu, 22 May 2014 11:48:32 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:57980) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WnY2i-000Bsb-Fg; Thu, 22 May 2014 14:48:40 -0400
Message-ID: <537E467C.7010405@bbn.com>
Date: Thu, 22 May 2014 14:48:28 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <537E3229.4070402@bbn.com> <CAMm+Lwjbi5t7Efgyf4cNdh-2=DqbeSE4xgxf3TchPZBAyERwug@mail.gmail.com> <537E3E17.8000901@bbn.com> <CAK3OfOgE-0jhSfPBn+EoWw5CJx+jLU6vcKC3k=3NHGNkTDouAw@mail.gmail.com>
In-Reply-To: <CAK3OfOgE-0jhSfPBn+EoWw5CJx+jLU6vcKC3k=3NHGNkTDouAw@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/pFEWQu38RoFDmeIWIQZ4IydAQas
Cc: trans@ietf.org
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2014 18:48:47 -0000

Nico,

>
> ...
> >
> > That's a very confusing last phrase.
>
> I had no problem reading it.
>
a literal reading of it is as sarcasm. If that's PHB's intent, fine, but
I just wanted to verify that there was no typo.
>
> Your complaints that we're all inarticulate are getting old.
>
not everyone, but a lot of messages and docs seem to validate my 
complaint :-).

> >> The other major advantage is that it provides a tool to avoid some of
> >> the cryptographic lock in problems that are causing certain countries
> >> to cause issues in ICANN. You don't have to agree with their analysis
> >> to find value in addressing the concerns.
> >
> > I understand their concerns. But the lack of a well-articulated 
> architecture
> > for CT, much less a CT for DNSSEC, makes it hard for me to gauge whether
> > this is a good idea.
>
> In other words, your concern is about CT in general, not DNSSEC in 
> particular.  Sounds like a separable issue to me. But if CT makes 
> sense then it makes sense for DNSSEC.
>
yes, my complaint about a lack of a doc describing CT architecture is not
specific to the CT for DNSSEC discussion.

CT may be appropriate for the Web PKI, w/o being a great idea for DNSSEC.

Until we have a doc that describes the architecture, we can't evaluate 
how good
it is in either context.

Steve