IETF Logo Mail Archive

Re: [Trans] [dane] CT for DNSSEC

Wei Chuang <weihaw@google.com> Mon, 20 March 2017 22:38 UTC

Return-Path: <weihaw@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E7CD129406 for <trans@ietfa.amsl.com>; Mon, 20 Mar 2017 15:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgR1rAqhuEbP for <trans@ietfa.amsl.com>; Mon, 20 Mar 2017 15:38:50 -0700 (PDT)
Received: from mail-ot0-x22c.google.com (mail-ot0-x22c.google.com [IPv6:2607:f8b0:4003:c0f::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88F591293FF for <trans@ietf.org>; Mon, 20 Mar 2017 15:38:50 -0700 (PDT)
Received: by mail-ot0-x22c.google.com with SMTP id a12so72128226ota.0 for <trans@ietf.org>; Mon, 20 Mar 2017 15:38:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=vav3XesZgE+3rd2Dz9pviQASIH/bUQ+0McfTx3Zv7sw=; b=W7KUmOuaGAs4VEUS5JXmhRXY0xTaIY9NpZ07BZwDN7A0NWjRa+sk7oNGq8kMm0ZmQj 0Ey07tQS1XLTTEOvlJI5Zh4oS0sAvU2w/5Al4Oe2IFeScJbSNktt0TbKJaPopsAxwJUx MKoabJMWicKy25KYJmwOVCQ0tvtt44U4GiDhN/26hIvxnX50jAp5Om/DYMnz/dIIFlgJ rR9b7UzDoLgVpQyBAKB9s1eYBPIW4UfieQKcpSeX3ET+kql7fB/vgXQAbSntVFQrWocT 7LmJ6Zt83qgwJQWv25msO2jKvGFRaFA9+CobzR1MM6QfYjUYHaVUKYQy77Kbxbogt5p8 +6dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=vav3XesZgE+3rd2Dz9pviQASIH/bUQ+0McfTx3Zv7sw=; b=axB9x+1cbTKaQBIg9qemUIG5DtXzmLLqpZ1QouL839d9u33vQ01mZDMEsLzOyhCDVT AMsT18eTEVa6b/akGEdo87Ak/a9l08GgbIVvNlYAi6RDkfOH7BSDqpetnZwPt+RxHEkk ZksDItGQ+kM0XqkHRdDAaRtMgV/l1BTak93mePq5J2KPGL9fPaD/XU5STnotTF/VBdW4 zC/rVPpXxejTbX7/S/ohKZQsN/2wZetcHFZbt0iPMYEVxPFH66AEJitH0mdcmFCuovWq xh7fvdv4S58hwvq8CiV4SCrvx5udWP3vQ/ytOnN9+DolqDhh3CjkX4mfhgVEYTGuLyDb ttmg==
X-Gm-Message-State: AFeK/H3y07MkexYbCp0cN6Ni0Nmc/G0agWblWnOVgmkQx5lM3fxoCyeWXKQK+pY/LKcfkPliqxvUDdYY4vgGhfLX
X-Received: by 10.157.56.61 with SMTP id i58mr14948959otc.247.1490049529815; Mon, 20 Mar 2017 15:38:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.41.226 with HTTP; Mon, 20 Mar 2017 15:38:49 -0700 (PDT)
In-Reply-To: <C54BF614-378D-4A0A-964F-AE372E064D42@vpnc.org>
References: <CAAFsWK0bCDZmg0csCfXAJ1=jqbOBc7sUUvSg-6ZKjxuAQKmQPA@mail.gmail.com> <455EC3FC-9140-40D3-88F8-77990B7C7DD0@vpnc.org> <CAAFsWK2z1AR6RZToQvw7s_t_u+333Jyk6pUQ5KznbsrQGxkvgQ@mail.gmail.com> <C54BF614-378D-4A0A-964F-AE372E064D42@vpnc.org>
From: Wei Chuang <weihaw@google.com>
Date: Mon, 20 Mar 2017 15:38:49 -0700
Message-ID: <CAAFsWK3NSLNnFzA4U=EtB4rdg-i1fpEA7OO9koavjaRLBzQCag@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: trans@ietf.org, dane@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a113be8f6f08801054b313015"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/xZdmrUVyLBvc2s7Jx0qIhjk4vA0>
Subject: Re: [Trans] [dane] CT for DNSSEC
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 22:38:52 -0000

On Fri, Mar 17, 2017 at 11:20 AM, Paul Hoffman <paul.hoffman@vpnc.org>
wrote:

> On 17 Mar 2017, at 9:31, Wei Chuang wrote:
>
One issue with logging all records seen is if webmail providers publish
>> SMIMEA there will be a potentially overwhelming number of records logged,
>> and a very large change rate.
>>
>
> Don't log what you can't log due to scale.


Just a note of caution: Sometimes that might be hard to determine a priori
deployment, and then the cause of cessation of logging might be
inadvertently interpreted as malicious.  It might be best to statically
define which records are expected to be logged.


>
> Another issue is privacy of such records.
>>
>
> Sure, but there are unpredictable privacy issues with lots of DNS record
> data. It's not possible for us to predict what will and will not be
> considered private information now or in the future for anyone other than
> ourselves.


Logging may defeat the privacy mechanism that SMIMEA and OPENPGPKEY naming
scheme uses to prevent bulk disclosure of keys i.e. sec 7.4 in RFC7929.
Much depends on the log implementation though.

-Wei

v2.23.0 | Report a Bug | By Email