Re: [websec] DNS publication of HSTS and PKP header data using CAA
Joseph Bonneau <jbonneau@gmail.com> Wed, 08 April 2015 23:38 UTC
Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B41F51B2AF7 for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 16:38:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxUilrOsURUE for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 16:38:48 -0700 (PDT)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C790E1ACD3F for <websec@ietf.org>; Wed, 8 Apr 2015 16:38:47 -0700 (PDT)
Received: by laat2 with SMTP id t2so70532327laa.1 for <websec@ietf.org>; Wed, 08 Apr 2015 16:38:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=JY9DFSlgldeYYPnf8hMKTrWnQNEv5OYEW3WjkWS/KTg=; b=eklZPWu5pHSuGZmcuubRv7EfHP3D60bgdDgu1Zo7CWX4crASprI3iQtgE59gtjInFN gfVbApiCYxVWPcBKBHQazGo/bnZ0SiBRcQSHUb2SRypsxUzswXQhnByUtJyKOKTEuy6R QVOWHK0t62zPOA/XPINq4taPEl4QLnijUNRP45IJ2/gXPE4f0tLncfm8J//AHgzFBHAB V14XcTLocuCQ8reUWZdO/NeR3c5PiBztcR2NQO2mxXzYvDFkfQV0D6+Pq3HGo9YQCj1O ZMztmGWpXdI8hx25IlGNMgaCczMnZftk4+dJGbwfhkO/An0JhLjlBrNe2SnoV3VfymHc Ithg==
X-Received: by 10.152.2.105 with SMTP id 9mr1764053lat.16.1428536326068; Wed, 08 Apr 2015 16:38:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.241.75 with HTTP; Wed, 8 Apr 2015 16:38:25 -0700 (PDT)
In-Reply-To: <8b60de39fde39644fcc43150c41ba978.squirrel@webmail.dreamhost.com>
References: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com> <8b60de39fde39644fcc43150c41ba978.squirrel@webmail.dreamhost.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Wed, 08 Apr 2015 16:38:25 -0700
Message-ID: <CAOe4Ui=p16K5kNJ72RhxOUEDf0kvJOhzJ5D3LtsWhA1irzvz+A@mail.gmail.com>
To: ryan-ietfhasmat@sleevi.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/29cvNTEJPDQEfj197PZPC3EwItk>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, websec <websec@ietf.org>
Subject: Re: [websec] DNS publication of HSTS and PKP header data using CAA
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 23:38:49 -0000
On Wed, Apr 8, 2015 at 3:35 PM, Ryan Sleevi <ryan-ietfhasmat@sleevi.com> wrote: > On Wed, April 8, 2015 3:00 pm, Phillip Hallam-Baker wrote: >> http://tools.ietf.org/html/draft-hallambaker-webseccaa-00 >> >> It is a pretty straightforward proposal. > I believe it was so obvious that the IETF has already beat you to the > punch - RFC 6698. > > In either event, I see no reason to standardize Yet Another Way to do the > same thing. I do. Not all Ways to Do The Same Thing are equal in practice, even if they're equal in theory. DANE is complicated and has a completely different syntax. It is a 37 page long. Philip's proposal is 6 pages long. There is probably more to be added but that is still telling. If a busy site admin asks "how can I close the trust-on-first-use hole for my site?" Would we rather reply with: 1) Copy your HSTS and HPKP headers into a DNS record or 2) Go read up on how DANE works, come up with a DANE policy that's compatible with your HSTS/HPKP preferences (which may not be precisely possible), and keep the two policies compatible as they evolve. Perhaps DANE offers sufficiently extra expressive power for some super-energetic admins will prefer approach 2, but I think 9 of 10 developers (at least) would rather only have to learn and manage one syntax. My recent research on HSTS and HPKP deployment in practice has convinced me that much more attention needs to be paid to making developer's lives easier.
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton
- [websec] DNS publication of HSTS and PKP header d… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Martin J. Dürst
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Joseph Bonneau
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… ngnoulaye
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton