Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
Jakob Schlyter <jakob@kirei.se> Fri, 28 January 2011 07:52 UTC
Return-Path: <jakob@kirei.se>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E54E528C0DE for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 23:52:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.236
X-Spam-Level:
X-Spam-Status: No, score=-2.236 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmgCMpOVGwCr for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 23:52:51 -0800 (PST)
Received: from spg.kirei.se (gomi.kirei.se [91.206.174.9]) by core3.amsl.com (Postfix) with ESMTP id E295628C0CE for <dnsext@ietf.org>; Thu, 27 Jan 2011 23:52:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kirei.se; s=spg20100524; h=received:subject:mime-version:content-type:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer; bh=1EnZpQtJ7Dw0WpaaYx4TLKb5nN8RNFp0J7l0ebWAQ88=; b=VorOMWdpelUXl0Lhg9DwTkp4IlY07Myt+I4U7mjJVoGqv/+kA3xwysyP2CmEgsHDDlhW4LUzEEFR4 xVZnrX9nxh74Sm/r8tlf+EXk2/nWgAfSgASdJR3P35CY3jzcZ6QaxtnsbuYUw/fzu/v3Le8O4dUXKL SjcqgcRz+BsoUiJw=
Received: from mail.kirei.se (unknown [91.206.174.10]) by spg.kirei.se (Halon Mail Gateway) with ESMTPS; Fri, 28 Jan 2011 08:55:53 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Jakob Schlyter <jakob@kirei.se>
In-Reply-To: <AANLkTikB33P8ODJ1_Tu6rab11=XkvQK7LYE-_w8Wetig@mail.gmail.com>
Date: Fri, 28 Jan 2011 08:55:50 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <5F7680DF-C167-4600-A7F2-0CB76D6550AA@kirei.se>
References: <4D41D3E2.6060107@cisco.com> <AANLkTikB33P8ODJ1_Tu6rab11=XkvQK7LYE-_w8Wetig@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: Apple Mail (2.1082)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 07:52:53 -0000
On 28 jan 2011, at 07.37, Brian Dickson wrote: > What if, rather than starting from "old trust roots", it was starting > from "privately-signed trust anchors"? > > I.e. have IANA have private keys which are used ONLY for this service. > The vendors would include the public keys as trust anchors for > boot-strapping purposes. The key transfer might happen offline, or at > least out-of-band. We designed the detached signature [1] over the XML file [2] to work almost like that, although the ICANN Root CA is used for other things as well. > The same data could be signed with multiple such unpublished keys, as > needed (e.g. one per vendor, per year, use a new key every year, but > keep signing with all keys) and/or funded. Vendors might agree to pool > resources/keys, or not. Anyone can grab the latest root key CSR [3], sign it and produce a their "own" DNSSEC root key certificate and distribute with their software. > And, most importantly, it would be off-axis from the root-key > chaining. The rolling of root keys (for whatever reason, especially > for compromise) would be orthogonal to this mechanism. IMHO, any key signing the root key should protected with the same controls as the root key itself. Given how the root key itself is protected, I doubt that very few organizations can match that level of protection (although I know I'm biased when it comes to root key protection). > Open question: > Does not publishing the key make it harder to compromise the key? No. jakob [1] http://data.iana.org/root-anchors/root-anchors.p7s [2] http://data.iana.org/root-anchors/root-anchors.xml [3] http://data.iana.org/root-anchors/Kjqmt7v.csr -- Jakob Schlyter Kirei AB - www.kirei.se
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- [dnsext] Historical root keys: The Large Router V… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… David Conrad
- Re: [dnsext] Historical root keys: The Large Rout… Brian Dickson
- Re: [dnsext] Historical root keys: The Large Rout… Jakob Schlyter
- Re: [dnsext] Historical root keys: The Large Rout… Florian Weimer
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Andrew Sullivan
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Nicholas Weaver
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- [dnsext] A question about the need for "historica… Edward Lewis
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] A question about the need for "histo… John Bashinski
- Re: [dnsext] A question about the need for "histo… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] A question about the need for "histo… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Chris Thompson
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Olafur Gudmundsson