IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Paul Wouters <paul@xelerance.com> Wed, 26 January 2011 21:38 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B39A23A68A0 for <dnsext@core3.amsl.com>; Wed, 26 Jan 2011 13:38:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.573
X-Spam-Level:
X-Spam-Status: No, score=-2.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBgTfSBcfFHZ for <dnsext@core3.amsl.com>; Wed, 26 Jan 2011 13:38:16 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id 7C5283A6893 for <dnsext@ietf.org>; Wed, 26 Jan 2011 13:38:15 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by newtla.xelerance.com (Postfix) with ESMTP id C9181C53C; Wed, 26 Jan 2011 16:41:15 -0500 (EST)
Date: Wed, 26 Jan 2011 16:41:15 -0500
From: Paul Wouters <paul@xelerance.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <AANLkTinxxDpZ27r9SB8n8QaHad+BM-_UYpGUDUokYr0e@mail.gmail.com>
Message-ID: <alpine.LFD.1.10.1101261633400.18044@newtla.xelerance.com>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <alpine.LFD.1.10.1101251510140.30991@newtla.xelerance.com> <alpine.LSU.2.00.1101261442120.3329@hermes-1.csi.cam.ac.uk> <AANLkTinCB-d2HWGY4kSOmfSCMNQ-D61keEE+1poTu11g@mail.gmail.com> <alpine.LFD.1.10.1101260958490.30991@newtla.xelerance.com> <AANLkTi=KGpm0O8KqGZO6vC+8k64byPFzM4w1Toq+se3E@mail.gmail.com> <alpine.LFD.1.10.1101261256250.17193@newtla.xelerance.com> <AANLkTinxxDpZ27r9SB8n8QaHad+BM-_UYpGUDUokYr0e@mail.gmail.com>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2011 21:38:17 -0000

On Wed, 26 Jan 2011, Phillip Hallam-Baker wrote:

> Paul, you came here with an assertion that you were interested in solving a particular problem.
> Since then you have changed the problem whenever people suggest an alternative that does not match your
> proposed solution.

> If I was a major router manufacturer or any other manufacturer, I would make sure that there was satisfactory
> control of the ultimate root of trust embedded in my products.

This particular big router vendor has stated to me that using X.509 and CA's can not
be part of the solution, exactly for the reasons I have mentioned in previous emails.

These are their words exactly:

    Frankly, one of the most compelling reasons for wanting to see
    ubiquitous DNSSEC is precisely this long, ever changing list of X.509
    CAs, each with its own policies, procedures, personnel, and pressure
    points, and each representing an opportunity for total failure of the
    whole PKI. X.509 as deployed is a security disaster, and I see
    basically no chance of it ever getting better.

    Personally, and I'm hoping to convince [vendor] and everybody else of
    this eventually, I would like to see DNSSEC *replace* X.509 as the
    PKI for basically everything on the Internet, or at least see all
    X.509 trust conditioned on DNSSEC trust.


Phillip, it is not just me. Your PKI solution does not fit this
problem. It just creates an additional problem.

> As the Internet matures and the need to upgrade equipment for purely performance issues subsides, service
> lifetimes for network infrastructure is going to be measured in decades. Which is something of a problem in
> an industry where Internet time turned out to mean that Netscape took a little over five years to go from
> startup, to industry behemoth, to extinction rather than the 80-90 years that it took General Motors to
> achieve the same.

You never did give me your professional expert estimate of the amount or
percentage of valid CA's of the latest Netscape Navigator/Communicator
released. I would still be interested in that number to confirm or deny
the usability of Certificate Agencies over a decade long deployment.

Paul

v2.23.0 | Report a Bug | By Email