IETF
dane@jabber.ietf.org
Thursday, November 13, 2014< ^ >
stpeter has set the subject to: DANE WG | http://tools.ietf.org/wg/dane/
Room Configuration
Room Occupants

GMT+0
[00:00:08] <nico> m&m: no thx
[00:00:13] <m&m> /nod
[00:01:17] <Franck Martin> I would do DANE, if I could do DNSSEC, but geolocation is not well supported with DNSSEC
[00:01:25] <m&m> Peter Koch at the mic
[00:01:38] <sftcd> with quotes
[00:01:40] <=JeffH> perhaps something to resurrect: https://tools.ietf.org/html/draft-agl-dane-serializechain-01
[00:01:57] <m&m> (note … please prefix with relay: or mic: if you want it said in the room)
[00:02:11] jtrentadams@gmail.com leaves the room
[00:02:12] Aaron leaves the room
[00:02:17] <m&m> Richard Barnes at the mic
[00:03:01] <m&m> Franck: did you want that relayed?
[00:03:12] <Franck Martin> I can come to the mic :P
[00:03:25] <viktor_dukhovni@hardakers.net> Yes, stapled DANE RRs are a potentially useful idea.
[00:03:25] <Chris Grundemann> @Franck: any pointer to paper / info regarding the DNSSEC geolocation issue(s)? I'd love to know more...
[00:03:28] <m&m> wasn't sure (-:
[00:03:50] <m&m> Jason Livingood at the mic
[00:03:50] Kurt Andersen leaves the room
[00:04:00] <nico> in general it'd be nice if MUAs could display indicators of security -- with DANE this would be feasible, and it'd help users demand the feature
[00:04:17] <bortzmeyer> The DANE cookbook : http://www.afnic.fr/en/about-afnic/news/general-news/7451/show/securing-internet-communications-end-to-end-with-the-dane-protocol-1.html
[00:04:21] <nico> viktor: AGL @ google had a stapled DANE format, and tooling
[00:04:21] <sftcd> has someone thought about stapled DANE RR's and split-horizon DNS? seems like there may be "issues"
[00:04:41] <m&m> ekr at the mic
[00:04:41] <sftcd> or maybe not given DNSSEC
[00:04:52] <Andrew Sullivan> @Stephen: even DNSSEC with split-horizon is really hard
[00:05:10] <sftcd> right, the DANE-needs-DNSSEC thing might make it over-hard
[00:05:14] <nico> a standard for encoding lists of DNSSEC RRsets in a way that's easy to staple and verify would be great
[00:05:25] <Andrew Sullivan> There was a draft in DNSOP years ago for how to do this, and it went nowhere
[00:05:40] <sftcd> @andrew: why'd it go nowhere?
[00:05:48] Chris Grundemann leaves the room
[00:05:59] <m&m> sebastian castro at the mic
[00:06:45] jtrentadams@gmail.com joins the room
[00:06:47] <Andrew Sullivan> @Stephen: 1. SPLIT BRAIN EVIL! 2. We don't have any clear way to talk about split brain in the first place 3. Wow this is hard
[00:07:05] <Andrew Sullivan> (2) and (3) seem like good reasons that nobody picked it up.  (1) is of course stupid, but it happens
[00:07:14] <m&m> George Martinsen at the mic
[00:07:50] Aaron joins the room
[00:08:04] jtrentadams@gmail.com leaves the room
[00:08:17] <resnick> Yay George!!
[00:08:19] <resnick> :-D
[00:08:24] <m&m> ekr at the mic
[00:08:28] <=JeffH> dnsviz.net
[00:08:57] <viktor_dukhovni@hardakers.net> Relay: Where are we with the "last mile problem" for DNSSEC?
[00:09:02] Aaron Zauner joins the room
[00:09:04] jtrentadams@gmail.com joins the room
[00:09:18] <m&m> in line
[00:09:25] <m&m> Wes at the mic
[00:09:56] EKR joins the room
[00:10:16] Aaron leaves the room
[00:10:20] <sftcd> interesting: meetecho means the count of chars in warren's pwd is recorded for posterity
[00:10:23] chris grundemann joins the room
[00:10:38] <Andrew Sullivan> Nice!
[00:10:50] negecy joins the room
[00:10:51] <sftcd> probably the typo there would reduce the search space too
[00:11:01] <Andrew Sullivan> Caffeine is now a security app!
[00:11:04] negecy leaves the room
[00:11:08] negecy joins the room
[00:11:14] <Sean Turner> okay what's the screen on the right - is that a list of the folks in meetecho
[00:11:25] <sftcd> what screen?
[00:11:42] <Andrew Sullivan> You can only see it in the room.  I've wondered all week Sean
[00:11:42] <m&m> Franck at the mic
[00:11:47] <EKR> To recap: the basic trust model of browser PKI is to have the list of all the TAs in the browser. So, when we update it, it might or might not make sense to do so in the DNS, but it's purely a question of efficiency
[00:12:00] chris grundemann leaves the room
[00:12:00] <EKR> Because at the end of the day the root of trust is the browser vendor
[00:12:05] Gowri Visweswaran joins the room
[00:12:21] Chris Grundemann joins the room
[00:12:28] Gowri Visweswaran leaves the room
[00:12:38] <EKR> Obviously a distributed trust model like DANE is totally different.
[00:12:42] <sftcd> @ekr: true, but maybe a lot because the browser is the dominant app
[00:12:43] <EKR> And that's a good thing.
[00:12:45] <Jakob Schlyter> EKR; Are there any browsers except Firefox that is shipped with integrated trust anchors today?
[00:13:02] Aaron joins the room
[00:13:13] <sftcd> @jakob: thought all but IE did?
[00:13:15] <EKR> Jakob: the other browsers get their trust anchors from the OS
[00:13:21] <Jakob Schlyter> right.
[00:13:25] <sftcd> even chromium?
[00:13:28] <m&m> Phil at the mic\
[00:13:29] <Jakob Schlyter> yes.
[00:13:37] <EKR> but of course except for Chrome, the difference between the OS and the browser is kinda thin
[00:13:42] <sftcd> on linux or just windows/mac
[00:13:58] <EKR> sftcd: I'm not sure where Chromium gets its trust anchor on Linux
[00:14:07] <EKR> I believe Android has its own trust anchor list.
[00:14:07] <sftcd> guess I should look;-)
[00:14:39] <Jakob Schlyter> chromium uses NSS on linux.
[00:14:49] <Jakob Schlyter> https://github.com/kirei/catt/wiki/CAs-used-by-Google-Software has some more information
[00:14:57] <EKR> But I'm not seeing a lot of difference between an OS update and a browser update when the browser vendor is the OS vendor
[00:15:22] <EKR> Note that Firefox always uses NSS but I belive that the NSS list is not the same as the Firefox list
[00:15:29] <EKR> rbarnes knows for sure
[00:15:41] <sftcd> ok, so we just blame richard and move on
[00:16:28] <EKR> Probably
[00:17:27] <negecy> DANE distribution would have more success not fighting against the PKIX model but promoting the advantage to have both models working together. DANE itself does not say anything than the ownership of the domain has been proofed, non-pinned certs can be fail issued. With DANE as most efficient solution for pinning and PKIX for most efficient solution for identity validaton both models are best combined. That's not always clear and promotion for DANE too often went the wrong way resulting in loosing power in discussing two solutions against each other instead of combining the power of both.
[00:17:34] <m&m> Jim at the mic
[00:17:48] <nico> ah: https://tools.ietf.org/html/draft-agl-dane-serializechain-01
[00:17:56] <bortzmeyer> DPRIVE charter does not mention authentication of the resolver. S, it does not really solve the last mile problem.
[00:17:56] <sftcd> Jim Gettys?
[00:17:57] <=JeffH> yep
[00:18:08] <m&m> yes, Jim Gettys
[00:18:16] <sftcd> ta
[00:18:26] <=JeffH> sorry, my 'yep' was in response to nico
[00:18:28] <nico> http://src.chromium.org/viewvc/chrome/trunk/src/net/base/dnssec_chain_verifier.cc?pathrev=167227
[00:18:29] <m&m> Ralph (??) at the mic
[00:18:53] <nico> and git://github.com/agl/dnssec-tls-tools.git <http://github.com/agl/dnssec-tls-tools.git>
[00:19:19] <sftcd> @nico: thought chrome team took out dane recently though
[00:19:24] <m&m> Jim Gettys at the mic
[00:19:34] <Jakob Schlyter> the previous work by Google/AGL has very little to do with the current DANE model.
[00:19:42] <nico> sftcd: yes, they did, but it's still in the history
[00:19:44] <Jakob Schlyter> Chrome never did DANE.
[00:20:02] <nico> Jakob: but the code was there
[00:20:06] <nico> it's gone now
[00:20:21] <EKR> So obviously TLS clients could include DANE verifiers and accept DANE-signed keys in addition to PKIX keys
[00:20:27] <nico> the point is that that's a good starting point for stapling DANE
[00:20:32] <Jakob Schlyter> no, it was not DANE as we know it today. it was something else.
[00:20:40] <EKR> Jakob: sure, but we could add DANE
[00:20:50] <Jakob Schlyter> yes, absolutely.
[00:20:51] <m&m> Paul Hoffman at the mic
[00:21:12] <nico> Jakob: the stapling?  it was very close
[00:21:40] Sean Turner joins the room
[00:22:28] <m&m> Eric Ostweller
[00:22:39] <m&m> Osterweller, sorry
[00:22:51] <shollenbeck> Osterweil
[00:22:57] Aaron leaves the room
[00:23:11] <EKR> Doesn't the S/MIME version require users idnetities to be in DNS?
[00:23:12] Aaron joins the room
[00:23:15] <m&m> so I am even worse off (-:
[00:23:16] <EKR> I.e., ekr.example.org
[00:23:51] <nico> relay: the killer app for SMTP w/ DANE is MUA security indicators for received mail and for outgoing addresses, and a button for "make this secure"
[00:23:56] <Jakob Schlyter> EKR; there's a SMIMEA RR at SHA2-224("ekr")._smimecert. <http://smimecert.example.com/>example.com.
[00:24:26] <m&m> in line
[00:24:30] <EKR> Jakob: that seems pretty hard on users
[00:25:05] <nico> relay: the killer app for HTTP/2.0 with TLS is harder to pin down: users won't really see the difference -- it'd have to be a UI element, again, but browsers have been trying to get away from UI security indicators
[00:25:08] <Jakob Schlyter> EKR; the rationale behind this is in the draft. why hard?
[00:25:29] <nico> sorry :)
[00:25:47] <m&m> Wes at the mic
[00:25:49] <EKR> uh because users have no meaningful contact with their DNS server.
[00:26:09] <jimsch1> ekr: Probably no worse than trying to get things into an LDAP server
[00:26:29] <m&m> Eric at the mic
[00:26:43] <EKR> jimsch1: so basically impossible, you mean
[00:26:49] <jimsch1> ekr: Yes
[00:27:03] <nico> EKR: well, users having to have a URL for themselves that roughly corresponds to their e-mail addresses is not exactly a bad idea for S/MIME
[00:27:04] rbarnes joins the room
[00:27:10] <viktor_dukhovni@hardakers.net> Relay: OPS updates 6698 not SMIMEA.  OPS is TLSA OPS.  It is not SMTP specific, but it is TLS/TLSA specific.
[00:27:14] <jimsch1> ekr: And ldap does not believe that email addresses are case sensitive
[00:27:24] <nico> EKR: users wouldn't need to know
[00:27:39] <nico> they'd just register their keys with their mail domain
[00:27:40] metricamerica joins the room
[00:27:47] <EKR> nico: and how would they do that?
[00:27:51] Kurt Andersen joins the room
[00:27:51] <m&m> in line
[00:27:53] <nico> EKR: their MUA would
[00:27:54] negecy leaves the room: Disconnected: closed
[00:28:00] <nico> probably as an IMAP extension!
[00:28:02] <m&m> Wes at the mic
[00:28:04] emile stephan joins the room
[00:28:25] <EKR> nico: I'm sure in principle all this is possible, but it would require a lot more machinery to be standardized
[00:28:33] <nico> EKR: no doubt
[00:28:45] <jimsch1> nico: So as a pop user I am totally SOL
[00:28:52] <nico> and ultimately there's the problem that the users need to sync private keys across many mobile devices
[00:28:57] <m&m> Sean at the mic
[00:29:01] <nico> jimsch1: aren't you already?
[00:29:10] <m&m> Sean Turner
[00:29:14] <nico> jimsch1: :)
[00:29:15] <m&m> Paul Hoffman at the mic
[00:29:44] <nico> anyways, gtg-ish
[00:30:48] <m&m> open mic time
[00:31:03] Jakob Schlyter leaves the room
[00:31:04] shollenbeck leaves the room
[00:31:04] Hugo Kobayashi leaves the room
[00:31:05] Aaron leaves the room
[00:31:06] shinta leaves the room
[00:31:09] <Dictator> Dec 2 target for Interim meeting
[00:31:15] jimsch1 leaves the room
[00:31:21] <m&m> adjourned
[00:31:21] Suz leaves the room
[00:31:22] Andrew Sullivan leaves the room
[00:31:24] shoji leaves the room
[00:31:27] rbarnes leaves the room
[00:31:30] Geoff Huston leaves the room
[00:31:35] Aaron Zauner leaves the room
[00:31:36] dblacka leaves the room
[00:31:36] EKR leaves the room
[00:31:37] metricamerica leaves the room
[00:31:37] resnick leaves the room
[00:31:40] kivinen leaves the room
[00:31:41] tony hansen leaves the room
[00:31:45] DanYork leaves the room
[00:31:46] sftcd leaves the room
[00:31:54] Dan Timpson leaves the room
[00:31:58] Tomofumi Okubo leaves the room
[00:32:00] metricamerica joins the room
[00:32:01] Meetecho leaves the room
[00:32:06] Sean Turner leaves the room
[00:32:17] Francis Dupont leaves the room: Computer went to sleep
[00:32:24] Viktor Dukhovni leaves the room
[00:32:28] Phill leaves the room
[00:32:33] PaulWouters leaves the room
[00:32:45] ebersman leaves the room
[00:33:03] Dave Crocker leaves the room
[00:33:07] Chris Grundemann leaves the room
[00:33:16] Mankin, Allison leaves the room
[00:33:35] Phill joins the room
[00:34:05] Phill leaves the room
[00:34:24] =JeffH leaves the room
[00:34:50] jlatour leaves the room
[00:35:06] Dictator leaves the room
[00:36:33] nico leaves the room
[00:36:36] Kurt Andersen leaves the room
[00:38:06] Sean Turner leaves the room
[00:38:14] Marco Davids (SIDN) leaves the room
[00:38:36] metricamerica leaves the room
[00:38:57] Yoshiro Yoneya joins the room
[00:39:06] Yoshiro Yoneya leaves the room
[00:39:13] Yoshiro Yoneya leaves the room
[00:39:30] metricamerica joins the room
[00:39:36] Franck Martin leaves the room
[00:40:37] rbarnes joins the room
[00:43:05] viktor_dukhovni@hardakers.net leaves the room
[00:43:17] rbarnes leaves the room
[00:45:17] jtrentadams@gmail.com leaves the room
[00:45:31] Suz joins the room
[00:45:45] Stefan Santesson leaves the room
[00:45:47] viktor_dukhovni@hardakers.net joins the room
[00:47:08] viktor_dukhovni@hardakers.net leaves the room
[00:47:13] Peter Koch leaves the room
[00:47:59] =JeffH joins the room
[00:48:10] bortzmeyer leaves the room
[00:48:37] zwicky leaves the room
[00:48:44] m&m leaves the room: Disconnected: connection closed
[00:51:08] Craig Taylor leaves the room
[00:51:50] satoru.kanno@jabber.org leaves the room
[00:51:54] Kurt Andersen joins the room
[00:57:18] Dan Wing leaves the room
[00:57:29] Aaron joins the room
[00:57:46] Stefan Santesson joins the room
[00:58:42] sftcd x leaves the room
[00:59:49] jlatour joins the room
[01:00:25] jlatour leaves the room
[01:02:47] c leaves the room
[01:04:48] Aaron leaves the room
[01:06:23] Catherine Dibble leaves the room
[01:06:51] Antoin Verschuren leaves the room
[01:07:49] c joins the room
[01:08:59] c leaves the room
[01:09:15] DanYork joins the room
[01:10:32] ilari.liusvaara leaves the room: offline
[01:12:17] Sean Turner joins the room
[01:15:31] rbarnes joins the room
[01:17:58] jlatour joins the room
[01:18:09] viktor_dukhovni@hardakers.net joins the room
[01:18:44] rbarnes leaves the room
[01:21:07] Kurt Andersen leaves the room
[01:23:28] Sean Turner leaves the room
[01:23:36] rbarnes joins the room
[01:24:23] jlatour leaves the room: Replaced by new connection
[01:24:23] jlatour joins the room
[01:24:29] m&m joins the room
[01:24:37] DanYork leaves the room
[01:26:07] metricamerica leaves the room
[01:26:23] =JeffH leaves the room
[01:26:47] naoki joins the room
[01:27:26] m&m leaves the room
[01:31:04] doug.otis joins the room
[01:31:59] EKR joins the room
[01:32:49] metricamerica joins the room
[01:34:42] Franck Martin joins the room
[01:36:52] Franck Martin joins the room
[01:37:07] Franck Martin leaves the room
[01:38:11] rbarnes leaves the room
[01:39:15] Dictator joins the room
[01:39:53] naoki leaves the room
[01:40:03] naoki joins the room
[01:42:07] EKR leaves the room
[01:42:22] EKR joins the room
[01:42:39] Franck Martin leaves the room
[01:44:35] jlatour leaves the room
[01:44:37] Dictator leaves the room
[01:44:50] metricamerica joins the room
[01:45:07] metricamerica leaves the room
[01:49:27] Dictator joins the room
[01:50:57] naoki leaves the room
[01:52:42] Mankin, Allison joins the room
[01:52:59] naoki joins the room
[01:57:12] PaulWouters joins the room
[01:57:37] EKR leaves the room
[01:58:30] Mankin, Allison leaves the room
[01:58:54] naoki leaves the room
[02:00:05] EKR joins the room
[02:01:37] EKR leaves the room
[02:01:46] EKR joins the room
[02:04:10] vdukhovni@gmail.com joins the room
[02:15:35] Aaron joins the room
[02:16:05] PaulWouters leaves the room
[02:23:07] Dictator leaves the room
[02:26:54] Dictator joins the room
[02:27:05] zwicky joins the room
[02:34:42] Suz leaves the room
[02:43:36] viktor_dukhovni@hardakers.net leaves the room
[02:43:46] vdukhovni@gmail.com leaves the room
[02:44:49] Aaron leaves the room
[02:47:31] zwicky leaves the room
[02:51:07] EKR leaves the room
[02:51:37] Dictator leaves the room
[02:52:29] doug.otis leaves the room
[02:52:44] Phill joins the room
[03:00:08] bortzmeyer joins the room
[03:01:52] bortzmeyer leaves the room: Replaced by new connection
[03:01:54] bortzmeyer joins the room
[03:04:35] Stefan Santesson leaves the room
[03:06:13] Dictator joins the room
[03:07:24] EKR joins the room
[03:13:07] EKR leaves the room
[03:16:07] Dictator leaves the room
[03:16:11] EKR joins the room
[03:18:00] Aaron joins the room
[03:18:05] Aaron leaves the room
[03:30:27] shinta joins the room
[03:54:30] shinta leaves the room
[04:04:45] Dictator joins the room
[04:06:38] Dictator leaves the room
[04:06:43] Dictator joins the room
[04:09:03] Dictator joins the room
[04:09:08] Dictator leaves the room
[04:12:02] Dictator joins the room
[04:12:08] Dictator leaves the room
[04:13:38] Dictator leaves the room
[04:26:23] Phill leaves the room
[05:01:08] EKR leaves the room
[05:05:13] EKR joins the room
[05:14:19] Stefan Santesson joins the room
[05:21:32] bortzmeyer leaves the room
[05:33:08] EKR leaves the room
[05:34:18] bortzmeyer joins the room
[05:59:35] shinta joins the room
[06:02:11] shinta leaves the room
[06:26:19] metricamerica leaves the room
[07:14:41] Mankin, Allison joins the room
[07:36:10] Mankin, Allison leaves the room
[08:44:19] Dictator joins the room
[08:51:57] Dictator leaves the room
[09:24:19] bortzmeyer leaves the room
[15:06:57] Stefan Santesson leaves the room: Disconnected: Replaced by new connection
[15:06:57] Stefan Santesson joins the room
[16:11:03] Dictator joins the room
[16:11:42] EKR joins the room
[16:39:52] bortzmeyer joins the room
[16:41:06] Dictator leaves the room
[17:05:27] dblacka joins the room
[17:33:21] dblacka leaves the room
[17:49:56] Dictator joins the room
[17:55:02] Stefan Santesson leaves the room
[18:03:36] EKR leaves the room
[18:15:51] EKR joins the room
[18:18:06] EKR leaves the room
[18:18:45] EKR joins the room
[18:22:07] EKR leaves the room
[18:22:35] EKR joins the room
[18:23:37] EKR leaves the room
[18:31:54] jlatour joins the room
[18:37:25] bortzmeyer leaves the room
[18:48:10] jlatour leaves the room
[18:48:15] jlatour joins the room
[18:48:30] jlatour leaves the room
[18:50:37] Dictator leaves the room
[18:55:49] doug.otis joins the room
[18:55:51] EKR joins the room
[18:58:05] jlatour joins the room
[19:03:10] Mankin, Allison joins the room
[19:07:39] bortzmeyer joins the room
[19:09:45] bortzmeyer leaves the room
[19:09:47] bortzmeyer joins the room
[19:10:37] EKR leaves the room
[19:11:20] EKR joins the room
[19:13:36] jlatour leaves the room
[19:15:20] jlatour joins the room
[19:22:11] doug.otis leaves the room
[19:26:37] EKR leaves the room
[19:26:53] EKR joins the room
[19:31:39] Mankin, Allison leaves the room
[19:49:37] EKR leaves the room
[20:28:44] jlatour leaves the room
[20:30:02] Mankin, Allison joins the room
[20:32:47] Mankin, Allison leaves the room
[20:33:35] jlatour joins the room
[20:40:47] bortzmeyer leaves the room
[21:00:19] Mankin, Allison joins the room
[21:01:22] bortzmeyer joins the room
[21:01:33] Mankin, Allison leaves the room
[21:11:17] bortzmeyer leaves the room
[21:15:41] jlatour leaves the room
[21:16:02] Mankin, Allison joins the room
[21:20:55] Mankin, Allison leaves the room
[21:41:13] EKR joins the room
[21:43:08] EKR leaves the room
[21:53:25] bortzmeyer joins the room
[22:10:37] EKR joins the room
[22:28:21] EKR joins the room
[22:28:38] EKR leaves the room
[22:29:08] EKR leaves the room
[22:38:13] jlatour joins the room
[22:59:23] bortzmeyer leaves the room: Replaced by new connection
[22:59:24] bortzmeyer joins the room
[22:59:41] bortzmeyer leaves the room
[23:00:51] jlatour leaves the room
[23:05:18] jlatour joins the room
[23:22:26] Meetecho RAV joins the room
[23:24:44] EKR joins the room
[23:33:09] EKR leaves the room
[23:39:42] dblacka joins the room
[23:44:45] EKR joins the room
[23:51:09] EKR leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!