IETF Logo Mail Archive

Re: [saag] What does DNSSec protect? (Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC)

Henry B Hotz <hbhotz@oxy.edu> Sun, 10 August 2014 20:24 UTC

Return-Path: <hbhotz@oxy.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06A1B1A0115; Sun, 10 Aug 2014 13:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2ZrbSaGDJBG; Sun, 10 Aug 2014 13:24:14 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.201.169]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 352EB1A000E; Sun, 10 Aug 2014 13:24:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 7F419DFEE; Sun, 10 Aug 2014 16:24:12 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mailout.easymail.ca
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (easymail-mailout.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LzIGvFK8TAa; Sun, 10 Aug 2014 16:24:11 -0400 (EDT)
Received: from [192.168.3.137] (71-80-163-186.static.lsan.ca.charter.com [71.80.163.186]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id E6D6FDFED; Sun, 10 Aug 2014 16:24:09 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_41F17E1B-ADE1-44E2-971A-4A71FF3E1328"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
Subject: Re: [saag] What does DNSSec protect? (Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC)
From: Henry B Hotz <hbhotz@oxy.edu>
In-Reply-To: <5B9A4046A1CB9ECDF6B77ACC@JcK-HP8200.jck.com>
Date: Sun, 10 Aug 2014 13:24:07 -0700
Message-Id: <8C7D573E-7C30-44A2-9820-B9B470B3426E@oxy.edu>
References: <20140730150819.GA15044@mournblade.imrryr.org> <00d801cfacb3$9e5c3440$4001a8c0@gateway.2wire.net> <53DA9B74.8040706@bbn.com> <001a01cfacfd$76b4d6a0$4001a8c0@gateway.2wire.net> <20140731223242.GS15044@mournblade.imrryr.org> <53DFBA2C.3040107@bbn.com> <53E0FB86.7000803@bbn.com> <20140805181419.GF15044@mournblade.imrryr.org> <20140805210434.GB23449@localhost> <53E17F34.9090804@dcrocker.net> <20140806012706.GN15044@mournblade.imrryr.org> <53E19242.5030208@dcrocker.net> <468ABF4C-BD12-4599-BF3F-57D2761DECFD@frobbit.se> <6F2A9C4EF7A35E87B09D37EF@JcK-HP8200.jck.com> <53E64B66.4000203@dcrocker.net> <CFABA714-21D3-4B6A-AFB3-C9474AC4185E@shinkuro.com> <5B9A4046A1CB9ECDF6B77ACC@JcK-HP8200.jck.com>
To: John C Klensin <john-ietf@jck.com>
X-Mailer: Apple Mail (2.1510)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/-MqkxS2iJChdiqnZDq0sJ-GmHqI
Cc: ietf@ietf.org, saag@ietf.org, David Crocker <dcrocker@bbiw.net>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 20:24:16 -0000

On Aug 10, 2014, at 7:36 AM, John C Klensin <john-ietf@jck.com> wrote:

> There is one sense in which trust models based on DNSSEC that
> seem to imply certification of non-DNS entities (like
> registrants) are more dangerous than ones based on CA chains.
> In the latter case, there are good, and obvious, analogies to
> many people's everyday experience.  If one finds someone who
> claims to be a notary but who operates out of the back of a
> taxicab, exhibits no credentials or authorization, who is
> willing to certify a document with no more identification of the
> signer than the ability to pay a few dollars in cash,  and
> trusts him to certify signatures on an important document, it is
> pretty generally understood what that certification is worth.
> We aren't quite there with CAs, but most people are able to at
> least understand applicability of the analogy.  On the other
> hand, when we build a system on top of the DNS and DNSSEC,
> relying on elaborate rituals like the signing of the root and
> layers of processes that are, for the typical user of the
> Internet, indistinguishable from magic, and fail to be clear
> that, e.g., no actual certification of registrant identity or
> integrity is involved, people may trust the magic rather than
> trusting DNSSEC as it is.  

There is one sense in which trust models based on DNSSEC are less dangerous than CA chains. The keys are issued by the same people who are responsible for directing traffic (via DNS) to a named entity, not by some other people at a different business in another country. My favorite example of this is the US Federal Bridge CA, which is not on the standard browser trust lists. At the same time a number of hostile (to the US) foreign governments *are* on those lists.

Where I think we agree is that having simple, clear, and accurate descriptions of what a technology does is critical so no one gets a really nasty surprise.

Personal email.  hbhotz@oxy.edu

v2.37.1 | Report a Bug | By Email | System Status