IETF Logo Mail Archive

Re: Using DNS system as a Global Root Certificate Authority - possible ?

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Mon, 28 December 2015 01:42 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF8E51A8741 for <ietf@ietfa.amsl.com>; Sun, 27 Dec 2015 17:42:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.498
X-Spam-Level: **
X-Spam-Status: No, score=2.498 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-07u6J4drs6 for <ietf@ietfa.amsl.com>; Sun, 27 Dec 2015 17:42:01 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id D753C1A873A for <ietf@ietf.org>; Sun, 27 Dec 2015 17:42:00 -0800 (PST)
Received: (qmail 82039 invoked from network); 28 Dec 2015 01:23:26 -0000
Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 28 Dec 2015 01:23:26 -0000
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
To: ietf@ietf.org
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com> <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.com> <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com> <20151227060834.GL18704@mournblade.imrryr.org>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Message-ID: <5680935E.7010803@necom830.hpcl.titech.ac.jp>
Date: Mon, 28 Dec 2015 10:41:50 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <20151227060834.GL18704@mournblade.imrryr.org>
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/O1coMkvEUbwB7ifsJFP_Mjyp2Vg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2015 01:42:02 -0000

Phillip Hallam-Baker wrote:

> One of the issues people don't seem to consider in these schemes is
> that merely reducing the number of trusted intermediaries from ~40 to
> one doesn't actually remove reliance on trusted third parties,

That is, DNSSEC is not secure at all. Just as plain DNS is vulnerable
to active attacks on communication channels, DNSSEC is so on CA
chains.

Viktor Dukhovni wrote:

> It hasn't been "are you who say you are" for quite some time, not
> the vast majority of certificates.  EV certificates are rather rare
> with the exception of some of largest sites.  Certainly the "Let's
> Encrypt" CA will not do anything resembling "are you who you say
> you are".

We don't need CA for encryption, because DH is good enough. Though
DH is vulnerable to active attacks on communication channels, CA is
so on CA chains.

						Masataka Ohta

v2.23.0 | Report a Bug | By Email