Re: Quic: the elephant in the room

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Apr 12, 2021 at 12:48:28PM -0400, Phillip Hallam-Baker wrote:
> On Mon, Apr 12, 2021 at 12:10 PM Nico Williams <nico@xxxxxxxxxxxxxxxx>
> wrote:
> > "No magnification DDoS please"
> 
> Oh, I have that built into the key exchange phase.

Sure.  We've talked about this before.  The DNS data model can't really
change, but the protocol can.  We're already seeing the protocol change
with DoT and DoH.

> > If you have a low level IoT device, you are probably better off doing
> > > path math properly in one trusted device in your network than relying
> > > on whatever embedded code is running in your toaster.
> >
> > Absolutely.  There is a trade-off to make.  Low-power && low-value RPs
> > should prefer stapling, or even a local caching recursive resolver to do
> > all the lookups and signature verification too.
> 
> If I was still doing PKIX, my long term plan would be to get rid of OCSP
> and move to short lived certs created using thresholded techniques. But I
> am not and nobody is paying me to think about that world any more.

Forget the details of x.509/PKIX/ASN.1 and all of that.  A lot of the
concepts remain the same.  PKIX, for all its warts, got some things
right that must not get lost in the shuffle.  First of all, naming must
be "typed" (I don't mean structured, but that you have to know if
"name@domain" is an email address or a Kerberos principal name).
Second, you need to be able name more than one name.  Third (really,
first), name constraints!  And so on.  Ultimately, certificates need to
be signed big bags of extensions, and in a post-PKIX world those things
should all be strings.

Nico
-- 




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux