Re: [Uta] Uta Digest, Vol 28, Issue 16
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 24 March 2016 19:16 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1D8412D512 for <uta@ietfa.amsl.com>; Thu, 24 Mar 2016 12:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txFDWpZpBGVH for <uta@ietfa.amsl.com>; Thu, 24 Mar 2016 12:16:32 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5371612D0A1 for <uta@ietf.org>; Thu, 24 Mar 2016 12:16:32 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4C48C284F45; Thu, 24 Mar 2016 19:16:31 +0000 (UTC)
Date: Thu, 24 Mar 2016 19:16:31 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20160324191631.GN6602@mournblade.imrryr.org>
References: <mailman.354.1458836179.3382.uta@ietf.org> <5B12C084-3EB4-4789-A12D-29B04C157AB8@dukhovni.org> <CANtKdUeYJ-qcqu4WocYMKUcs8opfD1_edti2HcNNY=Mybp1Trw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANtKdUeYJ-qcqu4WocYMKUcs8opfD1_edti2HcNNY=Mybp1Trw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/hyCi_TS1YzyMjb2k9ztn4ProrWI>
Subject: Re: [Uta] Uta Digest, Vol 28, Issue 16
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 19:16:35 -0000
On Thu, Mar 24, 2016 at 06:06:25PM +0100, Daniel Margolis wrote: > I think your thought exercise has brought you to the same place I arrived > at. ;) > > Note in particular, regarding domains "too big to do DANE", that this seems > likely to be especially true for big hosting providers. [ As an side, udmedia.de, transip.nl and nederhost.nl are doing fine with hosting lots of DNSSEC customer domains with DANE-enabled MX hosts, so I don't understand the above, but I think it is off topic, so we can move on... ] > A secondary problem with in-band validation is that it may increase the > risk of an attacker turning a temporary MITM into a perma-DoS, because you > now can't require that the policy be delivered from a server who's > certificate SAN matches the email domain. Indeed this is fatal. It is the same issue that faces RFC 6186 in the absense of DNSSEC. There is no practical way to do WebPKI authentication of target services in the presence of unvalidated DNS-based indirection. Alexey's recent email certs RFC suggests SRV-ID, but I don't see substantial support for that as likely to happen. > Anyway, this is a bit of a tangent, I think, because I think we're all on > the same page, but I've been sort of meaning to write up a list of > motivating design concerns describing these sorts of corner cases that we > discovered in alternate proposals; otherwise it's easy to forget *why* X > wasn't likely to work. In this light the well-known HTTPS URI is the glue tying the STS policy to the domain owner in a way that works with WebPKI and avoids DNS indirection. Instead the STS policy constrains the targets of the DNS indirection. This sure ain't pretty! I sure wish you guys would hurry up and do DANE, but wishing it won't make it so... :-( -- Viktor.
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Viktor Dukhovni
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Daniel Margolis
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Orit Levin (CELA)
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Viktor Dukhovni
- Re: [Uta] Uta Digest, Vol 28, Issue 16 Neil Cook