Re: [DNSOP] Declaring HTTPS mandatory in the DNS
Basically, the draft (draft-hoffman-server-has-tls) provides a mechanism by which the server tells the client which is insecure/secure port. An idea suddenly coming into my mind is why not integrate such mechanism with SRV [RFC2782]? The format of the SRV RR is like this: _Service._Proto.Name TTL Class SRV Priority Weight Port Target. Just add one field to indicate the security property of the port (namely to indicate whether the port is secure or not) and then most of the work is done. Forgive me if something obvious is missed! Guangqing Deng From: Paul Wouters Date: 2012-11-20 02:47 To: Paul Hoffman CC: dnsop Subject: Re: [DNSOP] Declaring HTTPS mandatory in the DNS On Mon, 19 Nov 2012, Paul Hoffman wrote: Perhaps you're thinking of this expired draft: draft-hoffman-server-has-tls? Exactly! Thanks. This I-D is not HTTPS-specific, which may explain why I did not find it. Y'all forget that think that security is valuable for things other than the web. :-) The draft has expired because there was little interest in it, and it causes weird interactions with HSTS from the websec WG. That will probably lead to people using the TLSA record as a pointer to do not connect without TLS. Which I believe people who wanted HASTLS did not like? (as HSTS does not protect you from attacks from sites you've never visited before from a trusted network) Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Declaring HTTPS mandatory in the DNS
Paul Wouters p...@cypherpunks.ca wrote: That will probably lead to people using the TLSA record as a pointer to do not connect without TLS. I wrote that requirement into my DANE for email drafts. http://tools.ietf.org/html/draft-fanf-dane-smtp-04#section-3.2 http://tools.ietf.org/html/draft-fanf-dane-mua-00#section-3 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Declaring HTTPS mandatory in the DNS
On Mon, Nov 19, 2012 at 09:05:43AM -0500, Scott Schmit i.g...@comcast.net wrote a message of 119 lines which said: Perhaps you're thinking of this expired draft: draft-hoffman-server-has-tls? Exactly! Thanks. This I-D is not HTTPS-specific, which may explain why I did not find it. Someone also suggested this proposal (not an I-D): http://www.circleid.com/posts/20090105_problem_with_https_ssl_md5/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Declaring HTTPS mandatory in the DNS
On 11/19/2012 9:41 AM, Stephane Bortzmeyer wrote: On Mon, Nov 19, 2012 at 09:05:43AM -0500, Scott Schmit i.g...@comcast.net wrote a message of 119 lines which said: Perhaps you're thinking of this expired draft: draft-hoffman-server-has-tls? Exactly! Thanks. This I-D is not HTTPS-specific, which may explain why I did not find it. Someone also suggested this proposal (not an I-D): http://www.circleid.com/posts/20090105_problem_with_https_ssl_md5/ It should be noted that the section of the original article recommending a custom DNS record be quickly standardized through the IETF process, and adopted, was actually struck out after feedback by Robert Graham: As Robert Graham, co-founder and CEO of Erratasec http://www.erratasec.com/ pointed out, I have the implementation process backwards because implementation has always come before standardization on the Internet. I must have been asleep writing that last paragraph because I should already know better. */Robert Graham:/*/What made the Internet different from all the other competing internetworks of the 1980s was that people would implement something first, then standardize it. OSI failed because standards led implementations./ Either Microsoft or Mozilla should just implement something, and document the DNS format that they will accept. Standards bodies can catch up later. I think this is probably wise advice, although there is nothing wrong with getting Microsoft, Mozilla and/or Google involved early in the standardization process... - Kevin ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Declaring HTTPS mandatory in the DNS
On Mon, 19 Nov 2012, Paul Hoffman wrote: Perhaps you're thinking of this expired draft: draft-hoffman-server-has-tls? Exactly! Thanks. This I-D is not HTTPS-specific, which may explain why I did not find it. Y'all forget that think that security is valuable for things other than the web. :-) The draft has expired because there was little interest in it, and it causes weird interactions with HSTS from the websec WG. That will probably lead to people using the TLSA record as a pointer to do not connect without TLS. Which I believe people who wanted HASTLS did not like? (as HSTS does not protect you from attacks from sites you've never visited before from a trusted network) Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop