IETF Logo Mail Archive

Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns

"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Wed, 03 November 2010 19:15 UTC

Return-Path: <jwkckid1@ix.netcom.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E7C753A68F0 for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 12:15:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86mcXwVfUkHG for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 12:15:20 -0700 (PDT)
Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by core3.amsl.com (Postfix) with ESMTP id 073223A68BE for <keyassure@ietf.org>; Wed, 3 Nov 2010 12:15:19 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=WPMVVObrlA7Diqx65MC9us1Xlh9KxFPI5pC4WVliIgQp+MqVK3yQShNTcuHoNPAF; h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.35] (helo=elwamui-huard.atl.sa.earthlink.net) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1PDinu-0007TM-R3 for keyassure@ietf.org; Wed, 03 Nov 2010 15:15:26 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Wed, 3 Nov 2010 15:15:26 -0400
Message-ID: <13301641.1288811726531.JavaMail.root@elwamui-huard.atl.sa.earthlink.net>
Date: Wed, 03 Nov 2010 14:15:26 -0500
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: "keyassure@ietf.org" <keyassure@ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688f6797967d839d80c6a7b17d84c1bc5ad350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.35
Subject: Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2010 19:15:22 -0000

Ilari and all,


-----Original Message-----
>From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
>Sent: Nov 3, 2010 1:55 PM
>To: Phillip Hallam-Baker <hallam@gmail.com>
>Cc: Tony Finch <dot@dotat.at>, keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
>Subject: Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns
>
>On Wed, Nov 03, 2010 at 01:14:11PM -0400, Phillip Hallam-Baker wrote:
>> 
>> There are certainly issues that arise with prefixes as I mentioned in
>> my other post. But they are tractable provided that:
>> 
>> 1) You are prepared to allow an additional DNS round trip.
>> 2) You are prepared to introduce a new DNS RR.
>
>Considering the adoption of CERT RR, CERT RR can almost be treated as
>new RR.
>
>And there's a diffrence between having to serialize the query and
>firing off the query in parallel with some other qurey one would have
>to do anyway.
>
>> We have to keep an eye on efficiency, but anything we do here is going
>> to depend on deployment of new DNS support infrastructure and require
>> transport that supports new RRs.
>
>Well, there's RFC 3597. But of course, new RRs (even if RFC 3597-compliant)
>have issues with adminstration.
>
>> Certificates typically bind to an entire domain.
>
>They may, or they may not. Some services use certificates in bizarre
>manner and can't share them with anything.
>
>> Statements concerning configuration of a security policy naturally
>> bind to a specific service at a domain.
>
>If you think HSTS is good example of security policy, consider that
>HSTS is really a special kind of protcol-level redirect and is only
>well-defined because of interactions between HSTS spec and HTTPS
>spec.
>
>That's why I think that records specifying secure equivalent of service
>must specify where to locate the service and how to connect to it
>(there are essentially two ways).
>
>> When we start to look at the consequences of outsourcing, the fact
>> that I have outsourced my Web site to outsource.net does not
>> necessarily mean I want to trust them with my mail service so maybe
>> the assumption that certificates are global to a domain also starts to
>> break down.
>
>Actually, HTTP is just about the worst in this regard since it does
>not support any kind of protocol-specific redirect from DNS. Yes, it
>supports CNAME, but CNAME isn't prtocol-specific.
>
>SMTP has MX records, many protocols have SRV, but HTTP does not have
>anything like that.
> 
>> So I am thinking that we are going to end up with a requirement for
>> protocol specific key assurance.
>
>Actually, at key assurance level, port numbers/services only matter
>if you can partition port numbers/services (which might not be
>possible) or if you have services with different security levels on
>one name (to prevent attacking higher-security services using stolen
>key from lower-security service).

  My take is that this all gets back to getting the CA's cleaned
up if possible AND eliminating the COI in respect to some few CA's
also being trust anchors.  Becaues if a key is presented from a
lower-security service that is a qualified CA and perhaps a Trust
Anchor as well, you end up with a obvious problem that is difficult
to actually solve.  
>
>-Ilari
>_______________________________________________
>keyassure mailing list
>keyassure@ietf.org
>https://www.ietf.org/mailman/listinfo/keyassure
Regards,
Jeffrey A. Williams
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
Network Eng. SR. Eng. Network data security
ABA member in good standing member ID 01257402 
E-Mail jwkckid1@ix.netcom.com
Phone: 214-244-4827

v2.23.0 | Report a Bug | By Email