IETF Logo Mail Archive

Re: [websec] DNS publication of HSTS and PKP header data using CAA

ngnoulaye@isoc-cameroon.org Tue, 14 April 2015 15:44 UTC

Return-Path: <ngnoulaye@isoc-cameroon.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC3F51B2D3B for <websec@ietfa.amsl.com>; Tue, 14 Apr 2015 08:44:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.913
X-Spam-Level: *
X-Spam-Status: No, score=1.913 tagged_above=-999 required=5 tests=[BAYES_50=0.8, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBeZwLQq5Zgk for <websec@ietfa.amsl.com>; Tue, 14 Apr 2015 08:44:17 -0700 (PDT)
Received: from gateway04.websitewelcome.com (gateway04.websitewelcome.com [67.18.59.10]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 145171B2D2B for <websec@ietf.org>; Tue, 14 Apr 2015 08:44:17 -0700 (PDT)
Received: by gateway04.websitewelcome.com (Postfix, from userid 5007) id 217BFD664493D; Tue, 14 Apr 2015 10:44:16 -0500 (CDT)
Received: from pathfinder.websitewelcome.com (pathfinder.websitewelcome.com [192.185.2.47]) by gateway04.websitewelcome.com (Postfix) with ESMTP id 11E43D66448D3 for <websec@ietf.org>; Tue, 14 Apr 2015 10:44:16 -0500 (CDT)
Received: from isoccam by pathfinder.websitewelcome.com with local (Exim 4.82) (envelope-from <ngnoulaye@isoc-cameroon.org>) id 1Yi30Y-0000s4-EL; Tue, 14 Apr 2015 10:44:15 -0500
Received: from 41.204.94.222 ([41.204.94.222]) (SquirrelMail authenticated user ngnoulaye@isoc-cameroon.org) by isoc-cameroon.org with HTTP; Tue, 14 Apr 2015 10:44:15 -0500
Message-ID: <6dad50f3fa3cf566611afd2f73ebfc89.squirrel@isoc-cameroon.org>
In-Reply-To: <CAMm+LwiRHNDk96GB9b7cyWzLVeSvxiNYc=Fxn9rjsG1ChZTjzw@mail.gmail.com>
References: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com> <8b60de39fde39644fcc43150c41ba978.squirrel@webmail.dreamhost.com> <CAMm+Lwhz1bmE61sinm-faHN7L6NdPA9nH=H4fCdkMtZGPR7m5A@mail.gmail.com> <3debce5114a44d5027f437c4c481addb.squirrel@webmail.dreamhost.com> <CAMm+LwjQE-t=DQRWc95gXYuo-1oKotbKuHzadc5Od+WG+M9_nw@mail.gmail.com> <3c6e1d6242b4bbc31d5020cf24770cb4.squirrel@webmail.dreamhost.com> <CAMm+LwiRHNDk96GB9b7cyWzLVeSvxiNYc=Fxn9rjsG1ChZTjzw@mail.gmail.com>
Date: Tue, 14 Apr 2015 10:44:15 -0500
From: ngnoulaye@isoc-cameroon.org
To: Phillip Hallam-Baker <phill@hallambaker.com>
User-Agent: SquirrelMail/1.5.2 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - pathfinder.websitewelcome.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [804 32002] / [47 12]
X-AntiAbuse: Sender Address Domain - isoc-cameroon.org
X-BWhitelist: no
X-Source-IP:
X-Exim-ID: 1Yi30Y-0000s4-EL
X-Source: /usr/local/cpanel/3rdparty/php/54/bin/php-cgi
X-Source-Args: /usr/local/cpanel/3rdparty/php/54/bin/php-cgi /usr/local/cpanel/base/3rdparty/squirrelmail/src/compose.php
X-Source-Dir: :/base/3rdparty/squirrelmail/src
X-Source-Sender:
X-Source-Auth: isoccam
X-Email-Count: 6
X-Source-Cap: aXNvY2NhbTtuZG9ubmFuZztwYXRoZmluZGVyLndlYnNpdGV3ZWxjb21lLmNvbQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/hwWHo1agMA0jThabXrDB6a8E2PU>
Cc: ryan-ietfhasmat@sleevi.com, websec <websec@ietf.org>
Subject: Re: [websec] DNS publication of HSTS and PKP header data using CAA
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 15:44:18 -0000

I support Hallam-Baker views on this.
Regards,
/Janvier Ngnoulaye

Le Mer 8 avril 2015 21:37, Phillip Hallam-Baker a écrit :
> On Wed, Apr 8, 2015 at 9:52 PM, Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
> wrote:
>
>> On Wed, April 8, 2015 6:27 pm, Phillip Hallam-Baker wrote:
>>
>
>>> If DNSSEC is ever deployed AND it becomes visible to clients then it
>>> could be relevant to this spec. But right now DNSSEC is not a viable
>>> mechanism for authenticating DNS RRs at the client.
>>
>> Agreed. And so how are you going to bootstrap security over an insecure
>>  connection, without dealing with all of the threat scenarios
>> explicitly and implicitly addressed by the documents you're trying to
>> supplant/augment?
>
> We are agreed that the utility of DNSSEC is limited to authoritative
> name resolvers, if that.
>
> So rather than trying to build further on a dead end, I propose to
> work in the opposite direction. We have a deployed scheme that already
> works inband in HTTP, extending it to DNS publication is the logical next
> step to extend the scheme further. Once that is in place there is an
> incentive to deal with authenticating the DNS client-resolver connection.
>
> We can argue about the security benefits achieved through this
> particular proposal, but what do you expect from two pages?
>
> What I propose is that we take the low hanging fruit now and let folk
> who have complicated boil the ocean approaches continue to fend for
> themselves.
>
> _______________________________________________
> websec mailing list websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>
>

v2.23.0 | Report a Bug | By Email