Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 28 January 2011 06:34 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EBC13A6BBD for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 22:34:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.191
X-Spam-Level:
X-Spam-Status: No, score=-3.191 tagged_above=-999 required=5 tests=[AWL=0.408, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNOBUUd8YiWV for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 22:34:28 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id C1B1A3A6BB8 for <dnsext@ietf.org>; Thu, 27 Jan 2011 22:34:27 -0800 (PST)
Received: by fxm9 with SMTP id 9so3278423fxm.31 for <dnsext@ietf.org>; Thu, 27 Jan 2011 22:37:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=MDW8DR0ARjCK6pfDh7GXPppS7vR+K0BtWL/ph9lkfVs=; b=mqSOvoSkXlDQ+hwsQJWngvhmIR7YbXTU1pMBH28WNrwpEcqvM44+ao9EpwYusXHbV8 njchB9lIx7SjXzRmQMLRn2hMEWCElFL5fUZL7StCkTknpd6XFb3yhdHzu74SRnDNoWOI x/a5SnFd22zxo1k42RRYOrdpN0x3OLmZbHC+8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=BJ1RfAd8WmNnA3ZjEX0rzMWI+1lJhnsEfdFSeoc9Wa8qgTDdzv8HYyl+Vg9zKAOx9C tNFh/yHCjs0blzVdkLYz/uPD1ffL6sphFUg8wcNbpnBYLVfgnYxPya1CdXf3qj1JtJwn RhJbaF3T50T6w8tnZZPPwQMVbXbn8aozCY5iQ=
MIME-Version: 1.0
Received: by 10.223.102.77 with SMTP id f13mr1916707fao.113.1296196652537; Thu, 27 Jan 2011 22:37:32 -0800 (PST)
Received: by 10.223.108.71 with HTTP; Thu, 27 Jan 2011 22:37:32 -0800 (PST)
In-Reply-To: <4D41D3E2.6060107@cisco.com>
References: <4D41D3E2.6060107@cisco.com>
Date: Fri, 28 Jan 2011 02:37:32 -0400
Message-ID: <AANLkTikB33P8ODJ1_Tu6rab11=XkvQK7LYE-_w8Wetig@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: John Bashinski <jbash@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 06:34:29 -0000
Thanks for the update, John. Clarification and open question follows: On Thu, Jan 27, 2011 at 4:21 PM, John Bashinski <jbash@cisco.com> wrote: > > Approaches > ========== > > At the moment, the following are under consideration: > > I. Get IANA and the root zone to provide some kind of service for > getting up to date starting from old trust roots. What if, rather than starting from "old trust roots", it was starting from "privately-signed trust anchors"? I.e. have IANA have private keys which are used ONLY for this service. The vendors would include the public keys as trust anchors for boot-strapping purposes. The key transfer might happen offline, or at least out-of-band. The same data could be signed with multiple such unpublished keys, as needed (e.g. one per vendor, per year, use a new key every year, but keep signing with all keys) and/or funded. Vendors might agree to pool resources/keys, or not. In the event of a key compromise of one of these keys, the presumed impact would be finite, small, localized (to a vendor-pool + year tuple), and decreasing over time (if a given public key is used only for one-time bootstrap purposes). And, most importantly, it would be off-axis from the root-key chaining. The rolling of root keys (for whatever reason, especially for compromise) would be orthogonal to this mechanism. And now, consider the possibility when the public keys are never actually published in this or any other zone.... The "public key" would be the trust anchor, used to validate the RRSIG directly. Open question: Does not publishing the key make it harder to compromise the key? (Of course, the key needs to be distributed in the software and/or configuration files, so it's just "less well known", I suppose...) Brian
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- [dnsext] Historical root keys: The Large Router V… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… David Conrad
- Re: [dnsext] Historical root keys: The Large Rout… Brian Dickson
- Re: [dnsext] Historical root keys: The Large Rout… Jakob Schlyter
- Re: [dnsext] Historical root keys: The Large Rout… Florian Weimer
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Andrew Sullivan
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Nicholas Weaver
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- [dnsext] A question about the need for "historica… Edward Lewis
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] A question about the need for "histo… John Bashinski
- Re: [dnsext] A question about the need for "histo… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] A question about the need for "histo… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Chris Thompson
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Olafur Gudmundsson