IETF Logo Mail Archive

Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

Joe Abley <jabley@hopcount.ca> Thu, 27 January 2011 21:52 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4693A28C177 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 13:52:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.563
X-Spam-Level:
X-Spam-Status: No, score=-102.563 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFK8xLnIiJ9Y for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 13:52:31 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca [216.235.14.38]) by core3.amsl.com (Postfix) with ESMTP id 0F3A33A69DE for <dnsext@ietf.org>; Thu, 27 Jan 2011 13:52:31 -0800 (PST)
Received: from [199.212.90.21] (helo=dh21.r2.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1PiZsX-00092y-Cv; Thu, 27 Jan 2011 21:59:47 +0000
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <4D41D3E2.6060107@cisco.com>
Date: Thu, 27 Jan 2011 16:55:25 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca>
References: <4D41D3E2.6060107@cisco.com>
To: John Bashinski <jbash@cisco.com>
X-Mailer: Apple Mail (2.1082)
X-SA-Exim-Connect-IP: 199.212.90.21
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: dnsext List <dnsext@ietf.org>
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 21:52:32 -0000

Hi John,

On 2011-01-27, at 15:21, John Bashinski wrote:

> At the moment, the following are under consideration:
> 
>  I. Get IANA and the root zone to provide some kind of service for
>     getting up to date starting from old trust roots. This is our
>     preferred answer, because--
> 
>     a. Every vendor could use it..
> 
>     b. Every professional network admin would eventually be familiar with it
> 
>     c. Every firewall would probably eventually let it through.
> 
>     d. It would get a lot of scrutiny, and that would make it more
> 	trustworthy.
> 
>     e. We wouldn't have to commit to running a well-known service
> 	for ages and ages. To be honest, it's not that easy to get
> 	a big corporation to buy into something like that in a way
> 	that makes you feel as confident as I'd like to be in this.
> 
>     f. It could outlast any vendor.
> 
>     I do not have the authority to even *suggest* committing any
>     Cisco funds to supporting this, but I could ask. Perhaps others
>     on this list could think about asking their employers as well.
>     It's always easier to get money if the boss feels the need to
>     keep up with the Joneses...

Right now we publish trust anchors for the root zone as:

1. an XML file, which is signed separately using S/MIME and PGP. This file contains the current public key and also includes details of all previous public keys, annotated XMLishly to indicate over what periods of time they were intended to be used.

2. an X.509 certificate. One of the products of a key ceremony is an X.509 CSR, which we sign using an ICANN-maanged CA to produce the certificate.

It was our ambition with (2) to publish multiple certificates for each anchor, each one representing the same CSR signed by a different certificate authority. This would allow a software vendor who already runs a CA (e.g. for the purpose of signing software updates) to bootstrap trust in a published KSK public key using their own key, but it might also be useful with well-known and -used commercial CAs, too.

A client might then have a bootstrapping mechanism of

  - retrieve <http://data.iana.org/root-anchors/root-anchors.xml>;
  - retrieve the set of CRTs associated with the current KSK (as identified in the XML file, currently just <http://data.iana.org/root-anchors/Kjqmt7v.crt>, but potentially <http://data.iana.org/root-anchors/Kjqmt7v.crt.cisco>);

(both the above accomplished without using DNSSEC validation, or SSL, although those URLs are provided with HTTPS too)

  - use a local X.509 trust anchor (e.g. for a vendor CA, or the regular browser list of SysTrust-accredited commercial CAs, or something else) to verify that the trust anchor retrieved is correct and proper.

Don't interpret any of that as reluctance to discuss doing anything new at IANA to make this easier; I just want to make sure the existing mechanisms can't be made to work in a sensible way first.


Joe

v2.23.0 | Report a Bug | By Email