Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]

Ben Laurie <benl@google.com> Tue, 10 December 2013 15:22 UTC

Return-Path: <benl@google.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD7A1AE158 for <dane@ietfa.amsl.com>; Tue, 10 Dec 2013 07:22:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-6UMmQah3EX for <dane@ietfa.amsl.com>; Tue, 10 Dec 2013 07:22:18 -0800 (PST)
Received: from mail-ve0-x22e.google.com (mail-ve0-x22e.google.com [IPv6:2607:f8b0:400c:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id AD4231AE157 for <dane@ietf.org>; Tue, 10 Dec 2013 07:22:18 -0800 (PST)
Received: by mail-ve0-f174.google.com with SMTP id pa12so4885981veb.19 for <dane@ietf.org>; Tue, 10 Dec 2013 07:22:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NUQEM/wtE/h7asRGjLDoFS4HdPMZ7PGpvUjjw0YdVwI=; b=Me4hxyUOS2kke5oPauDb8yByYT+xT4Cx3QQhv16BY3C6dSDVr/d0RUxPu0+w99aRZY uYZ6Tzcs0aBix5WkA8Bx95AsG7N+Lq1DRUA//miwmeEETkdby0su/2lOH1W1J7KiPNky O8TEE5B+wbSRqvfbUEO2TB6cEbk3PWjt0Yo/vv3lSK83m88cRCyk+LZkAbCdrt4YJuwy riF3+Anntgn6+sR71ELS3hwaNsjr5fe+yDmBQMxN+0YuGes7NMkxbNLr7Kbn7Tk6Z+Rs J+eUcCz2z69/P3nxzNLmRel7SFLT+VH07nPcFzAFu4W3zTZ5wSgmUKZbzKtG+hho8i2v w6Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NUQEM/wtE/h7asRGjLDoFS4HdPMZ7PGpvUjjw0YdVwI=; b=VuwR4HJPWL9KEKmle4TuCKqKLurasj4jB6F6OXMDEIM/PBdg8PJqYZLzJInsWSRfsp BXrR36vOpn2FmaQzM8tb69su+u4ne8C1Bbc8p1IG1cbnRPwxHUYjM+uDMzZNXXShbVqN Bt0TY5W772nOcYYjxAkwR9nWu4SG/TBeLmo4+hvp9B1yA6KqoVfykQV4z1p24Yj9/dUN fdXCFIHNR+w+dqikhSq/IxJjHnAtEEUgzaPRhfQbpSEe6C+Yv4JYlyyG1O9vEajoZobq KacWf7m/1/RiCfSYl/U8bWh3BZPsqfT2aeBjUV6Y7B558n7EkDoX5MK36MnVuOEH4Eic TFRA==
X-Gm-Message-State: ALoCoQnCCY5CZRsPQPgIkwzcxdDG004By/Wf3LvGgwAwHFN/6QG+6/NPuGWEXoB0HW7sfp0mrkLku51oVKakqJMWevciEyqvidCK1Pb/X04k26b9eBggcgNWczi0iGgtBQLCIJxdT74gDoRQszNYF+moyYKSrWWAPucNi99wWzF0z1xVujjt2cQbvr0e9EKL3ogXGIUbVYZO
MIME-Version: 1.0
X-Received: by 10.52.78.193 with SMTP id d1mr54089vdx.57.1386688933279; Tue, 10 Dec 2013 07:22:13 -0800 (PST)
Received: by 10.52.183.65 with HTTP; Tue, 10 Dec 2013 07:22:13 -0800 (PST)
In-Reply-To: <52A73074.1050904@bbn.com>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> <20131205175314.GH761@mournblade.imrryr.org> <E78C07CA-B742-43B2-8848-33DEB22A8014@kumari.net> <201312080234.rB82YeoW029387@new.toad.com> <m3y53tg0c3.fsf@carbon.jhcloos.org> <20131209231919.GY761@mournblade.imrryr.org> <4FAF6906-D258-4AB3-B76C-888C35566097@kirei.se> <20131210073402.GA761@mournblade.imrryr.org> <CABrd9SSSPFOe7HGyFiH=8oP=cvQ-g6HEqBytY8h=bbVonwNR7w@mail.gmail.com> <52A73074.1050904@bbn.com>
Date: Tue, 10 Dec 2013 15:22:13 +0000
Message-ID: <CABrd9SR8ttfj5Ymp6GGAmKTQ8KkCHUn_aQrZyZ0+B=tEt_wVTw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary=001a11365c9048506e04ed2fad12
Cc: IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2013 15:22:21 -0000

On 10 December 2013 15:17, Stephen Kent <kent@bbn.com> wrote:

> Ben,
>
>> ...
>>
>>
>> I'm willing to consider it. But I'm still concerned that without
>> something akin to CT, DANE is more dangerous than the existing PKI.
>>
>>  Can you elaborate, without reference to CY :-)? DANE seems preferable
> because the DNS hierarchy constrains the range of names that a node may
> assert (validly), unlike the WebPKI model.
>

I agree that there is this additional constraint. It doesn't really address
the core problem, though, which is that registries and registrars, like
CAs, are vulnerable to error, coercion and getting pwned. Registries are
also in a great position to mount targeted attacks, unlike CAs.

Experience suggests that their record, on the whole, is less good than CAs.