Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
John Bashinski <jbash@cisco.com> Fri, 28 January 2011 17:25 UTC
Return-Path: <jbash@cisco.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 672393A68D2 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 09:25:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.486
X-Spam-Level:
X-Spam-Status: No, score=-2.486 tagged_above=-999 required=5 tests=[AWL=0.113, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3irsiVrEVog for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 09:25:20 -0800 (PST)
Received: from vps1.velvet.com (vps1.velvet.com [66.249.7.50]) by core3.amsl.com (Postfix) with ESMTP id 7B19C3A67C2 for <dnsext@ietf.org>; Fri, 28 Jan 2011 09:25:20 -0800 (PST)
Received: from candyfloss.jbash.velvet.com (206-248-144-221.dsl.teksavvy.com [206.248.144.221]) by vps1.velvet.com (Postfix) with ESMTPSA id 21B861A5305; Fri, 28 Jan 2011 12:28:24 -0500 (EST)
Received: from candyfloss.jbash.velvet.com (candyfloss.jbash.velvet.com [127.0.0.1]) by candyfloss.jbash.velvet.com (Postfix) with ESMTP id F3FE76726; Fri, 28 Jan 2011 12:28:22 -0500 (EST)
Message-ID: <4D42FCB6.70005@cisco.com>
Date: Fri, 28 Jan 2011 12:28:22 -0500
From: John Bashinski <jbash@cisco.com>
Organization: Cisco Systems, Inc.
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Lightning/1.0b3pre Thunderbird/3.1.7
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4D41D3E2.6060107@cisco.com> <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca> <4D42F597.8090006@vpnc.org>
In-Reply-To: <4D42F597.8090006@vpnc.org>
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigA8413E90374F2AED8CE658D3"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 17:25:22 -0000
On 2011-01-28 11:57, Paul Hoffman wrote: > Is there a reason that we are only focusing on one of the multiple > proposals that this person proposed? Path II was: > > II. Provide our own key update service. This might be DNS-based or > HTTP-based. It would provide either: > > a. The entire historical chain of DNS root KSKs, with older keys > signing newer ones, so that the device could pick up from > whatever key it had, OR > > b. Just the current root key, signed with a key validated by > Cisco's private X.509 PKI (the same PKI we use to sign > software), OR > > c. The chain of (a) further signed with a key from (b). > > We are obviously capable of this. We also obviously think it's > inferior to (I). > It is not clear that it is inferior to (I) if doing (I) makes the > entire system more fragile by adding another moving part. I'm not sure I see how it does that. The new "moving part" isn't in the main trust path. It's off to the side, and it doesn't affect the basic system. It only affects devices that choose to validate by default and choose to bootstrap from old keys. If you do want to think of that as a new moving part, then if you have every vendor do it separately,what you've really done is to add N new moving parts instead of one. > I think (II)(b) looks quite sane, easy to do right now, and if this > community ever agrees to a safe way to do (I) *and* implements it, > doing a firmware update to switch over to it would not be hard. I > would not hold my breath, though. > We're talking pre-loaded trust anchors here. They have the same power > as pre-loaded software. If (II)(b) works for your software, it should > work just fine for your trust anchors. Actually, it's not quite the preloaded trust anchors we're talking about. It's the updated keys that get validated using those preloaded anchors. It's a given that you're going to start with some key to bootstrap your trust in DNSSEC, and that key is going to be preloaded. Then you're going to download some updated DNSSEC trust root, and validate it against your preloaded key. The question is how the downloaded key got signed. From my point of view, some person or persons, inside or outside of Cisco, is going to have the ability to cause a new DNSSEC root key to get signed using that preloaded key. That person or persons is NOT going to be the same person or persons who generates the software loads. I'm adding a new trusted entity to the system. I think you're saying "well, let Cisco be trusted; it's trusted already anyway". That's true if you look at Cisco as a monolith, but I don't have that luxury. Something has to be set up inside Cisco to deal with handling these keys. The complexity still exists; it's just been made less visible from a certain point of view. So, the question is whether it's better to have a single, publicly visible process that may be able to break a very large number of devices, or a large number of hidden processes each of which can break a smaller number of devices. I tend to prefer the former. -- jbash
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- [dnsext] Historical root keys: The Large Router V… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… David Conrad
- Re: [dnsext] Historical root keys: The Large Rout… Brian Dickson
- Re: [dnsext] Historical root keys: The Large Rout… Jakob Schlyter
- Re: [dnsext] Historical root keys: The Large Rout… Florian Weimer
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Andrew Sullivan
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Nicholas Weaver
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- [dnsext] A question about the need for "historica… Edward Lewis
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] A question about the need for "histo… John Bashinski
- Re: [dnsext] A question about the need for "histo… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] A question about the need for "histo… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Chris Thompson
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Olafur Gudmundsson