IETF Logo Mail Archive

Re: [Uta] "webby" STS and DANE/DNSSEC co-existence

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 14 April 2016 06:38 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2D1112E701 for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 23:38:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id of6wnRo6Y8-w for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 23:38:08 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E30312E700 for <uta@ietf.org>; Wed, 13 Apr 2016 23:38:08 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 938A8284DCA; Thu, 14 Apr 2016 06:38:07 +0000 (UTC)
Date: Thu, 14 Apr 2016 06:38:07 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20160414063807.GB17212@mournblade.imrryr.org>
References: <20160413191405.GF26423@mournblade.imrryr.org> <542002133.1160.1460581138072.JavaMail.yahoo@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <542002133.1160.1460581138072.JavaMail.yahoo@mail.yahoo.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/_Pw3pxalaw9_fp-QSr9fxxwF5vo>
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 06:38:10 -0000

On Wed, Apr 13, 2016 at 08:58:58PM +0000, Binu Ramakrishnan wrote:

> > STS is WebPKI.  If you want STS, you need a certificate from one
> > of the usual CAs.  With a self-signed certificate (some day just
> > a bare public key and no certificate at all) you can only use DANE.>--
>
> Yes, the STS policy is served over WebPKI, but in the STS policy you may
> still specify/pin public key or certificate for MX server. Pinning is
> proposed as a future work for STS along with additional constraints like
> min TLS version, PFS etc. STS use WebPKI/Root CA as trust anchor for policy
> distribution and in the case of DANE, trust anchor is DNS root (through
> DNSSEC)

See my response to Chris Newman.  The more prescriptive/ambitious
the STS design the less likely it is too see workable broad adoption.

If the STS spec is just for email between Yahoo and Gmail, sure,
go for it.  Less work for me, I won't need to implement yet another
transport security mechanism.

A more reasonably modest STS would stay well clear of prescribing
such fine details.  Once the policy lookup requires WebPKI support,
pinning MX host certs is fragile over-engineering.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email