IETF Logo Mail Archive

Re: Using DNS system as a Global Root Certificate Authority - possible ?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 27 December 2015 06:08 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52D641B2AA8 for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 22:08:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level:
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjAO5B1hAgbB for <ietf@ietfa.amsl.com>; Sat, 26 Dec 2015 22:08:36 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF1C71B2AA7 for <ietf@ietf.org>; Sat, 26 Dec 2015 22:08:35 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 551AA2843A5; Sun, 27 Dec 2015 06:08:34 +0000 (UTC)
Date: Sun, 27 Dec 2015 06:08:34 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
Message-ID: <20151227060834.GL18704@mournblade.imrryr.org>
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com> <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.com> <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/YTEzsmcSIEi_ngd2LXQtsW_fRbY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 06:08:37 -0000

On Sat, Dec 26, 2015 at 10:11:31PM -0500, John C Klensin wrote:

> And even that equation tends to be complicated by the
> observation that the trust relationship, as far as certification
> of identity is concerned, is with the registrars (and, in some
> cases, their agents and resellers) rather than with the
> registries.  At that point, the number of trusted intermediaries
> gets back toward order 40 or 100, not one, unless the question
> is "do you control this domain" rather than "are you who you say
> you are".

It hasn't been "are you who say you are" for quite some time, not
the vast majority of certificates.  EV certificates are rather rare
with the exception of some of largest sites.  Certainly the "Let's
Encrypt" CA will not do anything resembling "are you who you say
you are".

Once the question does boils down to whether the party requesting
the certificate controls the domain (rather than the "brand"), the
only party with an authoritative answer to that question is the
registrar on record for the domain.  

Provided the domain is registrar-locked, DNSSEC gets one about as
much confidence as one can get in answer to this more modest
question.  The party who authorized the DS records via the registrar
has administrative control over the domain's DNS and thus can
delegate authority over any keys published at and below the zone
apex.

This is certainly not a solution to phishing and the like, but it
can provide useful keying material for application protocols.

-- 	Viktor.

v2.23.0 | Report a Bug | By Email