Re: [Trans] DANE transparency
Phillip Hallam-Baker <ietf@hallambaker.com> Mon, 28 July 2014 19:42 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59C21A036B for <trans@ietfa.amsl.com>; Mon, 28 Jul 2014 12:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v344cPTTSc9R for <trans@ietfa.amsl.com>; Mon, 28 Jul 2014 12:42:21 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A7BB1B27F9 for <trans@ietf.org>; Mon, 28 Jul 2014 12:42:13 -0700 (PDT)
Received: by mail-wi0-f174.google.com with SMTP id d1so4999313wiv.13 for <trans@ietf.org>; Mon, 28 Jul 2014 12:42:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=9q8CqSV4r6ZwjoTtoZ2yZVAuswe2/R9I56CHE356ZHs=; b=edGhnlnTPo1Ffvpd9nouxLpIBp2XY7OarD1uQbDU1RifjROEKmRx2VNSed7IJQCaGP 2tWEclsV6KAHfinfjRMJcHfZA/KXoc+DE3n7ZBTlqDVYhi5Ik/+H+OPZG7Q07netCW5A MaKIrISKNbeSsgR8AUetNlwBv3wZ+YotorZ4JgWLFS9dIT/KrLNsiBEXidF0w2HyoJdj jx06YsDcNK9f+FJMObvAF1qtTfnOgptMLb+7JPmyeWQXmCyMAUp+EXLjD+H2M3x1pUVi ShcG0qnJXbprsdyPaptEaiTxS+7LuBK44DZsfyzRzH325V80aNvjMefV+mLZ4XSeZU0x CkpQ==
MIME-Version: 1.0
X-Received: by 10.180.104.42 with SMTP id gb10mr33798161wib.65.1406576529698; Mon, 28 Jul 2014 12:42:09 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.194.71.103 with HTTP; Mon, 28 Jul 2014 12:42:09 -0700 (PDT)
In-Reply-To: <CABrd9SQhehQKEq_+kssA4PjfZgkm_FTJGnozBeR9LfGEKHug+Q@mail.gmail.com>
References: <CAL02cgRx2vreekdqbO6m-o8vW46DeP3wvDdRm2V_-9ZeYtm+yw@mail.gmail.com> <CABrd9SQhehQKEq_+kssA4PjfZgkm_FTJGnozBeR9LfGEKHug+Q@mail.gmail.com>
Date: Mon, 28 Jul 2014 15:42:09 -0400
X-Google-Sender-Auth: 6PGU879T7VczH7Ta9yx8wTAV6d0
Message-ID: <CAMm+Lwj=LgpVaRyuvbvT8AgPppznMQ49tTXsytNNMaPdGDZtcw@mail.gmail.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
To: Ben Laurie <benl@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/wjGDte2Dt7T4JeTQhq5s7uiN6XI
Cc: Richard Barnes <rlb@ipv.sx>, "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] DANE transparency
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 19:42:23 -0000
On Mon, Jul 28, 2014 at 3:15 PM, Ben Laurie <benl@google.com> wrote: > Two points: > > 1. In the limit, is there really a noticable difference between doing > transparency for DANE and doing transparency for all of DNSSEC? > > 2. DNSSEC surely exists for reasons other than to secure TLSA records. > I therefore don't buy that there's no point to making the rest of > DNSSEC transparent. > > Which is not to say that a DANE-specific transparency project isn't > worth pursuing, but I don't think doing so removes the value of a > general DNSSEC transparency project. +1 Unless DANE is bjorked, it should be easier to apply DANE to the DNSSEC system and then DANE rather than just DANE/TLS. The only advantage to doing it piecemeal is that you have more wiggle room. Which is very useful when dealing with an infrastructure like SMTP where the biggest problem you always face is the deployed legacy base. Using wiggle room when you shouldn't need it is going to result in a spec that is stovepiped to one application and will be very hard to port to anything else. On top of which, DANE's achilles heel is the problem of deployment. Getting all the folk who need to move in one direction is really hard. We will have a functioning TRANS system operational long before DNSSEC. So using TRANS as leverage to deploy DNSSEC makes a lot more sense than waiting around.
- [Trans] DANE transparency Richard Barnes
- Re: [Trans] DANE transparency Ben Laurie
- Re: [Trans] DANE transparency Phillip Hallam-Baker