Re: Security for various IETF services

Theodore Ts'o <tytso@mit.edu> Thu, 10 April 2014 14:14 UTC

Return-Path: <tytso@thunk.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86C881A0307 for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 07:14:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.164
X-Spam-Level:
X-Spam-Status: No, score=-0.164 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3W9sAaUuM4F for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 07:14:14 -0700 (PDT)
Received: from imap.thunk.org (imap.thunk.org [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by ietfa.amsl.com (Postfix) with ESMTP id 79CE31A0277 for <ietf@ietf.org>; Thu, 10 Apr 2014 07:14:14 -0700 (PDT)
Received: from root (helo=closure.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.80) (envelope-from <tytso@thunk.org>) id 1WYFk4-0004NS-2h; Thu, 10 Apr 2014 14:14:12 +0000
Received: by closure.thunk.org (Postfix, from userid 15806) id 6FE2C5802B6; Thu, 10 Apr 2014 10:14:06 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=thunk.org; s=mail; t=1397139246; bh=l6GULf0gWeYNZpLwEJkg4LDymXBu5Jx0XYzzWD+kmm8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XWulVvznUPToSDjUnkdH96Fw1ui5SocyeDKkFJR46nF9DcfbXUHf4HleyO2kItS/S H2hI9sD4VSnZVxbyIQQzVmN5h1QCgT+cZoytysadYEFy81bEXOaoscqiNMUhGad3/s 5kng+mMc9TRpmiELbGMn1ode/pgV+bPaH17f7aqY=
Date: Thu, 10 Apr 2014 10:14:06 -0400
From: Theodore Ts'o <tytso@mit.edu>
To: Steve Crocker <steve@shinkuro.com>
Subject: Re: Security for various IETF services
Message-ID: <20140410141406.GF15925@thunk.org>
References: <20140409154919.11E6118C106@mercury.lcs.mit.edu> <534580AF.4080602@dcrocker.net> <20140409200814.GA15303@thunk.org> <3C46B827-BFFC-4A9E-B600-A1E79C839970@shinkuro.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <3C46B827-BFFC-4A9E-B600-A1E79C839970@shinkuro.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/PSCcUDgCN1iQNpEOXBkbQAIiQ5w
Cc: ietf@ietf.org, David Crocker <dcrocker@bbiw.net>, Noel Chiappa <jnc@mercury.lcs.mit.edu>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 14:14:20 -0000

On Wed, Apr 09, 2014 at 04:15:53PM -0400, Steve Crocker wrote:
> My own opinion is related but not identical.  I agree solutions 1
> and 3 are failures; 1 doesn’t provide the trust and 3 doesn’t scale.
> Solution 2 is also problematic because the government tends to
> overreach and there isn’t a single government.
> 
> DNSSEC provides a base platform to build upon.  It doesn’t claim to
> provide the level of trust the CA system tried to provide.  That’s a
> key strength, not a weakness.

DNSSEC basically has the same properties as the "race to the bottom
certifying authorities" model, except it's a "race to the bottom of
the DNS registraries" --- and some cases, the same company runs both a
CA and a DNS registry.  "Meet the new boss, same as the old boss"....

So if you're willing to disclaim the amount of trust that the CA
system purports to provide, it's really a question of "IPSEC" vs "TLS"
--- i.e., at which layer of the stack you are applying the protection.

Cheers,

					- Ted