IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion

Joe Abley <jabley@hopcount.ca> Fri, 17 September 2010 13:09 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5098B3A68B6 for <dnsop@core3.amsl.com>; Fri, 17 Sep 2010 06:09:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvrI64AV2HUB for <dnsop@core3.amsl.com>; Fri, 17 Sep 2010 06:09:53 -0700 (PDT)
Received: from monster.hopcount.ca (monster.hopcount.ca [216.235.14.38]) by core3.amsl.com (Postfix) with ESMTP id 278FF3A688C for <dnsop@ietf.org>; Fri, 17 Sep 2010 06:09:53 -0700 (PDT)
Received: from [199.212.90.26] (helo=dh26.r1.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1Owahg-0002Zh-OU; Fri, 17 Sep 2010 13:10:15 +0000
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <4C9342C1.309@nlnetlabs.nl>
Date: Fri, 17 Sep 2010 09:10:09 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <AE029F84-0E58-409F-8CD6-66EDCA6259B7@hopcount.ca>
References: <569C36E4-4F05-41B2-B0B8-A4B8228F13C9@googlemail.com> <p06240843c8b86ff53ffe@[10.20.30.158]> <4C9342C1.309@nlnetlabs.nl>
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
X-Mailer: Apple Mail (2.1081)
X-SA-Exim-Connect-IP: 199.212.90.26
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 13:09:54 -0000

On 2010-09-17, at 06:28, W.C.A. Wijngaards wrote:

> * The URL that iana published in their description is:
>  https://data.iana.org/root-anchors/root-anchors.xml
> * 'widely available trust certificates' to verify the https

We also specified

 - http:// URLs (no "s")
 - detached OpenPGP signatures
 - detached S/MIME signatures

> Are you sure that we want to create a cross-dependency on the https
> security for the DNS security?

Per above, there are multiple alternatives.

> This means the DNS and cert paths are no
> longer different trust paths.  And we should look at the attack vectors
> here.  If the root-key-prime fails, it is likely the machine will
> initiate this update machinery right away.  Assume a full MitM; say on a
> middlebox; it can make the root-key-prime fail and intercept traffic to
> that URL.

Let's also assume that a trust anchor for the ICANN CA which is used to create the detached S/MIME signature, or the PGP public key which is used to create the OpenPGP signature has been incorporated in some sensible way into operating system and/or DNS software distribution. This ought to represent a usefully-different path of trust to allow the authenticity of trust anchors received from the repository to be verified.

ICANN continues to offer to work directly with key software vendors to facilitate secure distribution of these trust points. We'll fly to your offices and hand them to you with signed attestations, if you want.


Joe

v2.23.0 | Report a Bug | By Email