IETF Logo Mail Archive

Re: https at ietf.org

David Conrad <drc@virtualized.org> Mon, 02 December 2013 00:09 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3C471AE24C for <ietf@ietfa.amsl.com>; Sun, 1 Dec 2013 16:09:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3JERPVbrU-7Z for <ietf@ietfa.amsl.com>; Sun, 1 Dec 2013 16:09:17 -0800 (PST)
Received: from alpha.virtualized.org (alpha.virtualized.org [199.233.229.186]) by ietfa.amsl.com (Postfix) with ESMTP id 695B51AE212 for <ietf@ietf.org>; Sun, 1 Dec 2013 16:09:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by alpha.virtualized.org (Postfix) with ESMTP id A51F0863E0; Sun, 1 Dec 2013 19:09:14 -0500 (EST)
Received: from alpha.virtualized.org ([127.0.0.1]) by localhost (alpha.virtualized.org [127.0.0.1]) (maiad, port 10024) with ESMTP id 63027-10; Sun, 1 Dec 2013 19:09:13 -0500 (EST)
Received: from [10.0.1.6] (c-24-4-109-25.hsd1.ca.comcast.net [24.4.109.25]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: drc@virtualized.org) by alpha.virtualized.org (Postfix) with ESMTPSA id B1EFE863C6; Sun, 1 Dec 2013 19:09:11 -0500 (EST)
Content-Type: multipart/signed; boundary="Apple-Mail=_4590D6F5-F851-4B37-AFBC-FC3B6DE1F62C"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
Subject: Re: https at ietf.org
From: David Conrad <drc@virtualized.org>
In-Reply-To: <CAMm+LwhXb6uYJLie1FmJE34aC0EO39_t7331X1O0iD=-gmSEvw@mail.gmail.com>
Date: Sun, 01 Dec 2013 16:09:08 -0800
Message-Id: <38B94CB1-C62A-4BAC-85D4-B08FB7315CE9@virtualized.org>
References: <20131125180608.55454.qmail@joyce.lan> <E5836934-317D-4E73-80CC-B8847047852A@virtualized.org> <CAMm+LwhXb6uYJLie1FmJE34aC0EO39_t7331X1O0iD=-gmSEvw@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1822)
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 00:09:22 -0000

Phillip,

On Nov 30, 2013, at 11:08 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> As I'm sure you're aware, for this attack to work, not only would the US government need to compromise the root KSK HSMs and a rather Byzantine set of safeguards, they would also presumably need to do so in a way that would reduce the likelihood that the compromised elements would be noticed.  
> You clearly do not understand the nature of those controls.

And you clearly did not understand the point of my message. To (re)state the obvious: the controls put in place were an attempt to alleviate concerns expressed by the Internet (well, primarily the DNS knowledgable) community about whether ICANN's handling of the root KSK was trustworthy given the set of assumptions and constraints the root management partners (ICANN, Verisign, and NTIA) were placed under both by the Internet community at large but also the US Dept. of Commerce, NTIA (since signing the root was seen as part of the IANA functions contract). I agree that base assumptions under which the controls were created have changed and as such, the DPS and the practices implemented under it should be reviewed and likely revised.

What I was arguing against was waving "NSL" around as a totem. NSLs aren't an attack, they're a way of hiding the attack. I'm suggesting that it is more useful to identify attacks and address the vulnerabilities that lead to those attacks. Given the way DNSSEC works and the complexity/risk of disclosure inherent in how the DNSSEC root key is handled and validation is done, I personally think it is far more likely the target's validating resolver will be compromised (particularly given most people rely on validating resolvers operated by third parties) but that isn't to say that we should ignore the potential vulnerabilities that might exist in the handling of the root KSK. The point is that unlike the operation of (many? most? all?) commercial CAs, the operation of the root KSK by ICANN is public and open for input/improvement. As I said in a previous message "send text".

> If we are positing the failure of those controls in one case then we should posit the same attack in the other.

I agree 100%.

> At least in the CA trust scheme there is a choice of trust providers.

This does not appear to have been an advantage in practice since it would seem non-public practices on the part of a few CAs put relying parties at risk.

> If ICANN were to turn DigiNotar it is the only option, it is not only 'too big to fail' it is the only possible provider.

Not knowing all the details of the Diginotar case I'm honestly curious: given the very public nature of every step of ICANN's role related to the root KSK, how would it "turn Diginotar"?

Regards,
-drc

v2.23.0 | Report a Bug | By Email