expecting larger records when tlsa is deployed
play

Expecting Larger Records When TLSA Is Deployed Paul Hoffman, VPN - PowerPoint PPT Presentation

May 04, 2023 •49 likes •139 views

Expecting Larger Records When TLSA Is Deployed Paul Hoffman, VPN Consortium OARC 2011 Spring Workshop V.01 1 Overview What is DANE/TLSA What a TLSA request and resource record will probably look like Expectations for timing and

  1. Expecting Larger Records When TLSA Is Deployed Paul Hoffman, VPN Consortium OARC 2011 Spring Workshop V.01 1

  2. Overview • What is DANE/TLSA • What a TLSA request and resource record will probably look like • Expectations for timing and amounts 2

  3. DANE WG in the IETF • Problem: TLS certificates currently need to be rooted by one of the hundreds of “trusted” CAs • It would be good to be able to put the trust of “this cert is associated with this domain name” in the DNS itself • Solution: let the DNS publish the certificate associations (RRtype is currently called TLSA) • Requirement: DNSSEC 3

  4. Hasn’t this already been done? • Not for TLS – SSH has SSHFP (RRtype 44, RFC 4255) – IPsec has IPSECKEY (RRtype 45, RFC 4025) – SSHFP and IPSECKEY are barely used in practice • However, there seems to be a lot of interest in DANE for TLS 4

  5. Likely request format • _443._tcp.www.example.com IN TLSA • _25._tcp.mail.example.com IN TLSA • Also can expect _udp for DTLS • Some requests can get multiple responses – When first rolling out, if the mandatory-to- implement requirements are not clear – Some large TLS sites have multiple certs (but usually only one CA) – We really don’t know 5

  6. Likely resource record format • Certificate type (1 octet), reference type (1 octet), data (lots of octets) • Certificate type is an end-entity certificate or a CA certificate • Reference type is 0 for “unhashed”, with other values for the type of hash 6

  7. Response length • If hashes are used, the record length will be <100 octets • If hashes are not used, the records will be much longer – Cert type of RSA1024, signed with SHA1: ~600 octets – Cert type of RSA2048, signed with SHA256: ~720 octets 7

  8. Operational issues • It is not at all clear whether people will prefer to use unhashed or hashed, but that has a fairly large operational impact • For end-entity certificates, hashed should be just fine • For CA certificates, hashed only makes sense for limiting the CA that can issue certs, so most use of TLSA for CA certs will be unhashed 8

  9. What’s next • More work to be done in the DANE WG • Hopefully will have this finished by this summer (but you know the IETF) • Already have browser implementers who are coding for this • But what do we do for assuring the data is covered by DNSSEC? • DANE WG might add a similar record for S/ MIME after TLSA is done 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generating TLSA, SSHFP and OPENPGPKEY records yum install hash-slinger tlsa --create

Generating TLSA, SSHFP and OPENPGPKEY records yum install hash-slinger tlsa --create

DNSSEC / DANE demo Paul Wouters Senior software engineer, Red Hat October 17, 2015 1 Paul Wouters &lt;pwouters@redhat.com&gt; Generating TLSA, SSHFP and OPENPGPKEY records yum install hash-slinger tlsa --create www.example.com (for

300 views • 19 slides
A Deployed Analyst A Deployed Analyst in in The Vietnam War The Vietnam War E. B. Vandiver

A Deployed Analyst A Deployed Analyst in in The Vietnam War The Vietnam War E. B. Vandiver

A Deployed Analyst A Deployed Analyst in in The Vietnam War The Vietnam War E. B. Vandiver III 24 August 2007 1 Purpose Relate the experiences of a deployed analyst during the Vietnam War in the late 1960s. Compare the experience

643 views • 42 slides
TLS and TLSA Bindhumadhava B S &amp; Balaji R Computer Networks and Internet Engineering Group

TLS and TLSA Bindhumadhava B S &amp; Balaji R Computer Networks and Internet Engineering Group

TLS and TLSA Bindhumadhava B S &amp; Balaji R Computer Networks and Internet Engineering Group Centre for Development of Advanced Computing No. 68, Electronics City, Bangalore 560100 ICANN 57, Hyderabad 5 th November, 2016 C-DAC Centre for

417 views • 14 slides
WHAT TO EXPECT WHEN WHAT TO EXPECT WHEN YOU'RE EXPECTING... JETPACK YOU'RE EXPECTING... JETPACK

WHAT TO EXPECT WHEN WHAT TO EXPECT WHEN YOU'RE EXPECTING... JETPACK YOU'RE EXPECTING... JETPACK

WHAT TO EXPECT WHEN WHAT TO EXPECT WHEN YOU'RE EXPECTING... JETPACK YOU'RE EXPECTING... JETPACK COMPOSE COMPOSE Mark Murphy, CommonsWare mmurphy@commonsware.com NEW TALK, WHO DIS? NEW TALK, WHO DIS? NEW TALK, WHO DIS? NEW TALK, WHO DIS?

350 views • 21 slides
Flya w a y Hom es Insanity Is Doing the Same Thing Over and Over Again and Expecting Different

Flya w a y Hom es Insanity Is Doing the Same Thing Over and Over Again and Expecting Different

COST-DRIVEN MODEL TO ADDRESS THE CHRONIC HOMELESSNESS CHALLENGE Flya w a y Hom es Insanity Is Doing the Same Thing Over and Over Again and Expecting Different Results - ALBERT EINSTEIN STATS OF STATUS QUO SOLUTION There are 1,400 units of

312 views • 14 slides
Big opportunity but a big challenge Everyone in Mongolia is expecting that the GDP would be

Big opportunity but a big challenge Everyone in Mongolia is expecting that the GDP would be

Big opportunity but a big challenge Everyone in Mongolia is expecting that the GDP would be doubled or tripled from exploration of the big mineral deposits. But not everyone might be aware that quite different nature of stresses on

1.39k views • 20 slides
Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does that mean? The guardian ofyour schools records Rule 2380 The RL knows what records are kept in your school The RL is the expert!

361 views • 13 slides
Risk and Records at UTS Records Management Program &gt; University Records, Governance Support

Risk and Records at UTS Records Management Program &gt; University Records, Governance Support

THINK.CHANGE.DO Risk and Records at UTS Records Management Program &gt; University Records, Governance Support Unit, Registrar, DVC (Corporate Services) 6 dedicated f/t positions &gt; Devolved system 2 campuses (city campus over

325 views • 13 slides
AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis Framework for Good Recordkeeping Records are evidence of business Records system Records system Records Records characteristics

404 views • 21 slides
A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management

A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management

RM1001 Records Custodian Training May 6, 2019 A haiku. Todays 1. Who is a Records Custodian? Topics 2. Why is Records Management important? 3. What is a Public Record? 4. What is Records Management? 5. Resources 2 1. Who is a

796 views • 33 slides
Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have

Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have

Everything You Ever Wanted To Know About Public Records (but didnt know how to ask) Why Have Open Records Laws? Sunshine concept Examples of Records Transparent &amp; Ethical Requests: Government Newspaper request for

281 views • 16 slides
WHAT TO CONSIDER WHEN YOURE EXPECTING MORE ABSENTEE VOTING MAY 13, 2020 SPEAKERS Chairman Ben

WHAT TO CONSIDER WHEN YOURE EXPECTING MORE ABSENTEE VOTING MAY 13, 2020 SPEAKERS Chairman Ben

WHAT TO CONSIDER WHEN YOURE EXPECTING MORE ABSENTEE VOTING MAY 13, 2020 SPEAKERS Chairman Ben Amber McReynolds, Mark Braden, Vote at Home BakerHostetler Hovland, U.S. Election Assistance Commission HOUSEKEEPING Resources are in the

586 views • 21 slides
Thats no moon. What to expect when youre expecting the website youre accessing to be

Thats no moon. What to expect when youre expecting the website youre accessing to be

Thats no moon. What to expect when youre expecting the website youre accessing to be delivered to you by your internet service provider in a fair and just manner according to a series of policies set by a regulator accountable to the

859 views • 62 slides
Objective : Detection of wide range of potential threats Device / Vehicle Op. Speed Autonomy

Objective : Detection of wide range of potential threats Device / Vehicle Op. Speed Autonomy

Multistatic underwater protection sonar best patterns for harbour and larger critical environments Objective: Fixed Asset protection from UW threats Approach: Multistatic active specific patterns and Presentation panel: Deployed &amp; Mobile

178 views • 16 slides
Books and Records 1 Overview Records to be maintained Other Information 2 These se

Books and Records 1 Overview Records to be maintained Other Information 2 These se

Guidelines on maintaining Books and Records 1 Overview Records to be maintained Other Information 2 These se gu guidelin elines es are propo posed sed to be enacted cted as a part of the Regu gulati tions ons for External

283 views • 10 slides
WHAT ARE STUDENT RECORDS AND WHAT ARE PUBLIC RECORDS? (Whose Interests Are Being Served?)

WHAT ARE STUDENT RECORDS AND WHAT ARE PUBLIC RECORDS? (Whose Interests Are Being Served?)

WHAT ARE STUDENT RECORDS AND WHAT ARE PUBLIC RECORDS? (Whose Interests Are Being Served?) Presented by Jack B. Clarke, Jr. BEST BEST &amp; KRIEGER LLP February 15, 2018 ACSA SYMPOSIUM ANAHEIM, CALIFORNIA AN OVERVIEW 1. The Basics: The

648 views • 50 slides
Spectral Continuity in Dense QCD Phys.Rev.D.78:011501,2008 Quark-Hadron continuity (in-medium)

Spectral Continuity in Dense QCD Phys.Rev.D.78:011501,2008 Quark-Hadron continuity (in-medium)

Spectral Continuity in Dense QCD Phys.Rev.D.78:011501,2008 Quark-Hadron continuity (in-medium) QCD sum rules Key words Different roles of vacuum condensates arXiv:0802.4143[ hep-ph ] M. T. (Saga) N. Yamamoto (Tokyo) T. Hatsuda (Tokyo) (

602 views • 38 slides
Hot-Wire Anemometry Csaba Horvth Anemometry Anemometry: Measurement of fluid velocity

Hot-Wire Anemometry Csaba Horvth Anemometry Anemometry: Measurement of fluid velocity

Hot-Wire Anemometry Csaba Horvth Anemometry Anemometry: Measurement of fluid velocity What kind of anemometers exist? History: Introduced in the first half of the 20th century Commercially available in their present

671 views • 25 slides
Pin Power Reconstruction with Leakage-corrected Embedded Calculation in PWRs Hwanyeal Yu*,

Pin Power Reconstruction with Leakage-corrected Embedded Calculation in PWRs Hwanyeal Yu*,

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Pin Power Reconstruction with Leakage-corrected Embedded Calculation in PWRs Hwanyeal Yu*, Seongdong Jang*, and Yonghee Kim* *Korea Advanced Institute of Science

325 views • 4 slides
Solar delta-m squared Oscillations using an Off-axis beam to DUSEL September 16 th , 2006 Robert

Solar delta-m squared Oscillations using an Off-axis beam to DUSEL September 16 th , 2006 Robert

Solar delta-m squared Oscillations using an Off-axis beam to DUSEL September 16 th , 2006 Robert Davis University of Colorado Goals Perform first terrestrial measurement of solar parameters using neutrinos (not anti-neutrinos) By use of

321 views • 12 slides
BONDING THEORIES SCH4U1 SP06 Lewis Theory of Bonding (1916) Key Points: The noble gas

BONDING THEORIES SCH4U1 SP06 Lewis Theory of Bonding (1916) Key Points: The noble gas

BONDING THEORIES SCH4U1 SP06 Lewis Theory of Bonding (1916) Key Points: The noble gas electron configurations are most stable. Stable octets can be formed through the transfer of electrons from metals to non-metals. Stable octets

216 views • 19 slides
TRUSS WAVINESS EFFECTS ON MECHANICAL BEHAVIORS OF WIRE-WOVEN BULK KAGOME K. W. Lee 1 , K. J. Kang 1

TRUSS WAVINESS EFFECTS ON MECHANICAL BEHAVIORS OF WIRE-WOVEN BULK KAGOME K. W. Lee 1 , K. J. Kang 1

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS TRUSS WAVINESS EFFECTS ON MECHANICAL BEHAVIORS OF WIRE-WOVEN BULK KAGOME K. W. Lee 1 , K. J. Kang 1 * 1 School of Mechanical System Engineering, Chonnam National Univ., Gwang-ju, Korea *

194 views • 5 slides
The Generalized Gell-MannOkubo Formalism Ga etan Landry Dalhousie University

The Generalized Gell-MannOkubo Formalism Ga etan Landry Dalhousie University

The Generalized Gell-MannOkubo Formalism Ga etan Landry Dalhousie University Agricultural Campus Truro, N. S. June 18, 2014 Previous work G. Landry (2013). Sym etries et nomenclature des baryons. M. Sc. Thesis, Universit e

792 views • 23 slides
Johnzon - Apaches Upcoming JSON Library Hendrik Saly, codecentric AG About the Apache

Johnzon - Apaches Upcoming JSON Library Hendrik Saly, codecentric AG About the Apache

Johnzon - Apaches Upcoming JSON Library Hendrik Saly, codecentric AG About the Apache Incubator &quot;The Incubator project is the entry path into The Apache Software Foundation (ASF) for projects and codebases wishing to become part of

678 views • 42 slides

More recommend