Re: [certid] Review of draft-saintandre-tls-server-id-check

[Martin Rex <mrex@sap.com>]

Shumon Huque wrote:
> 
> On Wed, Sep 08, 2010 at 08:44:56AM -0700, Bernard Aboba wrote:
> > 
> > If the "reference identifier" is  _Service.Name then the match is being done
> > on the *input* to the SRV lookup process, not the output, and prohibition on
> > DNS lookups would not apply (or even make any sense). 
> 
> Yes.
> 
> The output of the SRV record lookup contains a target hostname,
> not a service name, so it's not applicable to the SRVName name
> form. The target could be used in another name form (dNSName)
> as the reference identifier, but then the client needs to convince
> itself that the lookup was done securely (DNSSEC or some other
> means) otherwise there's a security problem.


I'm feeling very uneasy with the suggestion that a DNSSEC instead
of the DNS lookup might make it less of a security problem.

DNSSEC provides only data integrity protection and data origin
authentication of the records, and NOTHING beyond that.  In particular,
it does _NOT_ provide any trust in the conveyed information.


But in order to avoid the mentioned security problem, trust in the
transformation is an absolute prerequisite for the name transformation
in order to use the result in any kind of endpoint identity verification.


Although I personally think the trustworthiness of the rootCA certs
in web browsers is significantly overrated, there seems to be some
understanding out there that there is a huge difference between
cryptographic protection and trust, so there are browser vendors that
require CAs to apply a certain amount of scrutiny before issuing
certificates and subject themselves to an audit for a non-negligable
amount of cost before the browser vendors are going to include the
CAs self-signed rootCA cert as pre-trusted with their browser.


Are DNS domain admins going to be required to apply as much scrutiny
for each and every DNS record in their zone and have to succeed a
comparable audit of their DNS record maintenance procedures before
their parent domain will sign their zone signing keys?


DNS is an important an vital part of the internet, and it needs to
remain fast, efficient and free in order to remain useful.
Besides, even if DNSSEC signed records are being made available
in increasing numbers, that information is not visible to >90% of
the end users of the internet (like DSL subscribers) and is going to
remain invisible for most of them for many years to come.


-Martin