IETF Logo Mail Archive

Re: [xmpp] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-01.txt

Philipp Hancke <fippo@goodadvice.pages.de> Wed, 27 June 2012 17:29 UTC

Return-Path: <fippo@goodadvice.pages.de>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3825611E808F for <xmpp@ietfa.amsl.com>; Wed, 27 Jun 2012 10:29:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgpMsoFrUE+z for <xmpp@ietfa.amsl.com>; Wed, 27 Jun 2012 10:29:32 -0700 (PDT)
Received: from lo.psyced.org (lost.IN.psyced.org [188.40.42.221]) by ietfa.amsl.com (Postfix) with ESMTP id 6581B11E8073 for <xmpp@ietf.org>; Wed, 27 Jun 2012 10:29:32 -0700 (PDT)
Received: from [192.168.2.100] (p54972A74.dip.t-dialin.net [84.151.42.116]) (authenticated bits=0) by lo.psyced.org (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q5RHTPLN021231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Jun 2012 19:29:29 +0200
Message-ID: <4FEB42EF.9030701@goodadvice.pages.de>
Date: Wed, 27 Jun 2012 19:29:19 +0200
From: Philipp Hancke <fippo@goodadvice.pages.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: Matt Miller <mamille2@cisco.com>
References: <20120608202212.8859.65155.idtracker@ietfa.amsl.com> <A14A8C98-F762-4C96-9895-50DB6DFEF973@cisco.com> <alpine.DEB.1.10.1206271649070.17671@lo.psyced.org> <4975B6EA-000B-4C23-9D8F-47184E5BC126@cisco.com>
In-Reply-To: <4975B6EA-000B-4C23-9D8F-47184E5BC126@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-01.txt
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2012 17:29:33 -0000

Am 27.06.2012 18:19, schrieb Matt Miller:
> On Jun 27, 2012, at 09:16, Philipp Hancke wrote:
>
>> i'm pondering on the proof name. The prooftype is using dnssec, but uses it to extend the 6125 to allow secure delegation.
>> I.e. it either explains how to do delegation within a PKI prooftype or is a proof PKI-Delegation proof.
>>
>> DNSSEC alone might (mostly in the context of s2s and server dialback) be a different proof (used by the connecting server instead of dialbacks current faith in insecure dns).
>>
>
> First; Peter and I will be submitting a new DNA (Domain Name Associations) draft soon, which defines a few terms like "prooftype", "delegation method", and "assertion mechanism".  The goal is to have it published before the end of the week, so stay tuned!
>
> I don't think if DNSSEC in and of itself is really a proof; it's not providing verification material directly.  I do think it is a delegation method, which then makes dialback keys a worthwhile prooftype!

I expect dial-back keys (the xep 0185 stuff) to (gradually) become 
obsolete. The cridlandish samecert optimization yields a similar proof 
of possession using the shared private x509 key and has less 
round-trips. There are a few cases where this does not work, typically 
large sites that use multiple certificates, but one might expect them to 
deploy DANE.

DNSSEC still helps to ensure that you send stanzas to the right peer.

v2.23.0 | Report a Bug | By Email