IETF Logo Mail Archive

Re: [websec] DNS publication of HSTS and PKP header data using CAA

"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Thu, 09 April 2015 00:48 UTC

Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 047A71AC44A for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 17:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.334
X-Spam-Level:
X-Spam-Status: No, score=0.334 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RgQXUL6KsKZk for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 17:48:29 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E6E421AC447 for <websec@ietf.org>; Wed, 8 Apr 2015 17:48:29 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id C6B672005E809; Wed, 8 Apr 2015 17:48:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=NtpGQlpZiPswzs0I2uapRpIO+NE=; b=kwmx8z6cOPxIHeQ3X pkHtt3UVZQjxcG7t6AcSxfOy1WGAgXUO93TcNPA8RP7bhp/b87svrf/7GJOsMkuD /zy2Nc44F3U5BcNzdIm8EA5ArYxxmLhGaKHasvYMSk4yrL2bDo/Ld7OeHix+5xwd noalpkgOwAN8KB01nv5MB1zvO4=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id 2C0DB2005D807; Wed, 8 Apr 2015 17:48:29 -0700 (PDT)
Received: from 216.239.45.71 (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 8 Apr 2015 17:48:28 -0700
Message-ID: <5c572eea7036599f2cc96f454cb99375.squirrel@webmail.dreamhost.com>
In-Reply-To: <CAOe4Ui=p16K5kNJ72RhxOUEDf0kvJOhzJ5D3LtsWhA1irzvz+A@mail.gmail.com>
References: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com> <8b60de39fde39644fcc43150c41ba978.squirrel@webmail.dreamhost.com> <CAOe4Ui=p16K5kNJ72RhxOUEDf0kvJOhzJ5D3LtsWhA1irzvz+A@mail.gmail.com>
Date: Wed, 8 Apr 2015 17:48:28 -0700
From: "Ryan Sleevi" <ryan-ietfhasmat@sleevi.com>
To: "Joseph Bonneau" <jbonneau@gmail.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/XAOmkLwWCkfYXt6gjErhCIR0a4g>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, websec <websec@ietf.org>
Subject: Re: [websec] DNS publication of HSTS and PKP header data using CAA
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 00:48:31 -0000

On Wed, April 8, 2015 4:38 pm, Joseph Bonneau wrote:
>  My recent research on HSTS and HPKP deployment in practice has
>  convinced me that much more attention needs to be paid to making
>  developer's lives easier.

I certainly agree with this.

>From a UA perspective, does this address any of the concerns that
DANE/DNSSEC suffer from? No, not really.

So is this an improvement over DANE/DNSSEC? Only in syntax, not in
deployability.

Respectfully, this is a solution in search of a problem space. That
Phillip suggests it's deployable without DNSSEC is itself telling that
it's not meant to be an apples:apples conversion for the client. If we
assume it's for discoverability for reploads, then it's ill-defined who
the discovering actors are and whether or not they're interested in it,
but is a question worth having in the "Is this a problem" side before a "I
have a solution" side is broached.

When I look at this from the "What problem does it solve" and "In doing
so, does it introduce new problems" perspective, I'm not sure I agree with
the first question, and even if I did, the answers to the second question
are rightfully concerning.

v2.8.7 | Report a Bug | By Email