Hi Viktor, Paul,I don't know the history of DANE matter and don't have time to dig into it either but I want to say a couple of things:
On 05.02.26 15:50, Paul Wouters wrote:
For reference, EKR and Richard Barnes fiercly opposed any kind of pinning in browsers, that had the exact same property: prevent a downgrade attack.
Given that I have pointed out two times [0,1] that my collaborators have done DANE-related formal analysis and to reach out to them to request formal analysis or intuition/opinion, it is unclear to me whether the intention of repeated mentions is really to solve the problem or to personally target two respectable members of the WG, who have not only been contributing to the specs but also kindly managing to spare some time during the busy IETF weeks to help out in progressing the formal analysis work for FATT.
So I would once again ask: did the DANE authors reach out to the researchers? What did they say?
Seeing that we are far from actual quantum computers, it seems the same balancing act applies here.
I don't think the predicate here is correct.
I think it is a _very_ fair question now to ask why having pinning as a feature is suddenly acceptable. Because now it does appear that the original pushback was not about pinning, but about supporting an alternative trust model to the CAB/Forum (webpki) using DNSSEC(DANE).
Even if I assume everything you say is correct, this is not very impressive argument to me. We don't live in a static world. Opinions may change over time, based on more evidence, proof etc. Sharing my own experience: in TLS meeting at IETF 122, I defended intra-handshake attestation proposal and in next UFMRG meeting, I will show a proof of insecurity of intra-handshake attestation. So does it mean I have "suddenly" changed opinions? While I, Mariam and Tuomas believed at IETF 122 time that intra-handshake attestation can be made secure, further formal analysis and subtleties of key schedule revealed otherwise.
Anyway, what seems productive to me is to write a draft which provides guidance on what is the criteria the WG believes goes into the handshake and what not, so that when someone in the future wants to put something into TLS, they can compare this criteria or learn from the findings/experiences. I also see value in such a draft as it will save me time from formal analysis perspective.
Thanks in advance for keeping the discussions technical and not personally targeting the individuals!
-Usama [0] https://mailarchive.ietf.org/arch/msg/tls/VfgJ5ExuYXvEiSGlNJ0X8L1jGHI/ [1] https://mailarchive.ietf.org/arch/msg/dance/GIPVxwb4SnnN4I4K-xY0QLK0EzQ/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
