IETF Logo Mail Archive

Re: [websec] DNS publication of HSTS and PKP header data using CAA

"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Thu, 09 April 2015 00:41 UTC

Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C27861AC3D3 for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 17:41:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SM04n0bIM5kE for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 17:41:23 -0700 (PDT)
Received: from homiemail-a97.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 894251AC3D8 for <websec@ietf.org>; Wed, 8 Apr 2015 17:41:21 -0700 (PDT)
Received: from homiemail-a97.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTP id 4E12E28606F; Wed, 8 Apr 2015 17:41:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=YOBe8jfJgKbGHtsKDkUsrVJLdSc=; b=T/cbNSLTCtIw1O3eS bapxQyqoC4BAaVaSgQUDnUsV9eHYReI2TQXlDmwlnFIbvuc+rDdS7SoyZF2LyRPq Vleqvz0K3kllqUHqmT5GXgOPrs8L1utErVXh/w8kfKfHfHr9v4o5VPxPancU5qUJ W2yo3MV7coWvIDwA1J7vb1hJ5c=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTPA id 1ABB6286057; Wed, 8 Apr 2015 17:41:21 -0700 (PDT)
Received: from 216.239.45.71 (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 8 Apr 2015 17:41:19 -0700
Message-ID: <3debce5114a44d5027f437c4c481addb.squirrel@webmail.dreamhost.com>
In-Reply-To: <CAMm+Lwhz1bmE61sinm-faHN7L6NdPA9nH=H4fCdkMtZGPR7m5A@mail.gmail.com>
References: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com> <8b60de39fde39644fcc43150c41ba978.squirrel@webmail.dreamhost.com> <CAMm+Lwhz1bmE61sinm-faHN7L6NdPA9nH=H4fCdkMtZGPR7m5A@mail.gmail.com>
Date: Wed, 8 Apr 2015 17:41:19 -0700
From: "Ryan Sleevi" <ryan-ietfhasmat@sleevi.com>
To: "Phillip Hallam-Baker" <phill@hallambaker.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/hMtPS1Z8fY6jqsJU1H1IEt8J_fc>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] DNS publication of HSTS and PKP header data using CAA
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 00:41:23 -0000

On Wed, April 8, 2015 4:40 pm, Phillip Hallam-Baker wrote:
>  Who said anything about DNSSEC being required?

If it isn't, then it's not equivalent.

HSTS requires an error free connection - in part to ensure the policy is
securely delivered.

HPKP requires an error free connection that is consistent with the policy
expressed - in part to ensure the policy is securely delivered and
correctly formed.

If you don't require secure delivery of that, then you're not developing a
secure solution.

If you're doing it for out of band discovery, then it would help to say
that. But I very much doubt you are.

>  Having more than one solution for a problem is usually a good reason
>  to pick one.

http://xkcd.com/927/

v2.8.7 | Report a Bug | By Email