IETF Logo Mail Archive

Re: Using DNS system as a Global Root Certificate Authority - possible ?

Eliot Lear <lear@cisco.com> Sun, 27 December 2015 12:38 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7963E1A033B for <ietf@ietfa.amsl.com>; Sun, 27 Dec 2015 04:38:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.21
X-Spam-Level:
X-Spam-Status: No, score=-14.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8DNwU0oTp1R for <ietf@ietfa.amsl.com>; Sun, 27 Dec 2015 04:38:43 -0800 (PST)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 470DC1A0338 for <ietf@ietf.org>; Sun, 27 Dec 2015 04:38:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6234; q=dns/txt; s=iport; t=1451219923; x=1452429523; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=40mXJvDnuQoloJvFezBwluZakP+zvy5VPyNjVWcpxZU=; b=ZdGO8b8LmlJZVH23OhpieL6C9mF/kWMHUwbR2Ic2pLxXQIbvrOcpDa95 eWGmonVLxfybfHwUW0kyRSuklLm3fnZa7YJN+dh2uvjIAjInHpTHYfh6d OiywKI0xbSL/MifAbpQXYziaIi8LwbI6iqFD16AWHfXc+TbSP5lc4Ssis A=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CrBABG239W/xbLJq1ehAxtiFm0b4FlHYUoSgKBSBMBAQEBAQEBgQqENQEBAgIjVQEQCwQUCRYLAgIJAwIBAgFFBg0IAQGIKw6nP5FZAQEBAQEBAQEBAQEBAQEBAQEBAQEBDwmLVYI9hTaBSgWNOYlNgnKBZGqCcYUgiSeFVI47JAE/hAs+NAGFKgEBAQ
X-IronPort-AV: E=Sophos;i="5.20,486,1444694400"; d="asc'?scan'208,217";a="641684243"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Dec 2015 12:38:40 +0000
Received: from [10.61.211.70] ([10.61.211.70]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id tBRCceDO014689; Sun, 27 Dec 2015 12:38:40 GMT
Subject: Re: Using DNS system as a Global Root Certificate Authority - possible ?
To: Patrik Fältström <paf@frobbit.se>
References: <CAOJ6w=EdXPzK7f=zS0epuYXkkEcwtop11Ttt6QUR1-FtN1rGWg@mail.gmail.com> <CAMm+LwgGhs_W9g2yG-HC6YDBiz++Z-G5hbNL=bFGAcDQXJK9AA@mail.gmail.c om> <D24618171F1482DB31C6B8AB@JcK-HP5.jck.com> <23F80B32-B026-4122-8EFD-52EA70A9D5B9@frobbit.se>
From: Eliot Lear <lear@cisco.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <567FDBD1.4010703@cisco.com>
Date: Sun, 27 Dec 2015 12:38:41 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <23F80B32-B026-4122-8EFD-52EA70A9D5B9@frobbit.se>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="6BPGXVFp39tAcEuTHvDkMswirBdaWqSDw"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/iF5JV3i2vqfBaDhxlTur4Dd60I8>
Cc: ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Dec 2015 12:38:45 -0000

Hi Patrik,

On 12/27/15 6:35 AM, Patrik Fältström wrote:
> On 27 Dec 2015, at 4:11, John C Klensin wrote:
>
>> At that point, the number of trusted intermediaries
>> gets back toward order 40 or 100, not one, unless the question
>> is "do you control this domain" rather than "are you who you say
>> you are".
> It is not that bad as the domain in question is bound to one and only one registrar, which is a mapping that the registry is keeping track of. It is not the case that any registrar can do any change to any domain name.
>
> So, with todays CA system, any CA can sign a cert with any domain name in the CN.
>
> With the DNS and DNSSEC, only registries in the hierarchy from the root can publish the DS, and only one registrar can pass the DS to the parent for publication.
>
One would like to believe that name constraints as specified by RFC 5280
could be useful, and yet experience seems to show otherwise.  Perhaps
all is not lost.  My understanding is that the browser crowd in
particular have begun to tighten their requirements for having a CA in
their cache.  At least [1] seems to indicate so.  Name constraints are
an interesting area of perhaps some continued work.  That is- it seems
to me that *all* CAs should have some Name Constraints.  Further, it
also seems to me that very few CA certs should themselves be
self-signed.  Here's the problem, if ever there were a brown field, this
is it.  That requires some serious navigation through the installed base
to make a change.  Along these lines, I think many of us were quite
fascinated by Google's "interaction" with Symantec[2] since it seems to
represent a potential change in the dynamic.

Eliot

[1] https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_3_1.pdf
[2]
http://www.pcworld.com/article/2999146/encryption/google-threatens-action-against-symantec-issued-certificates-following-botched-investigation.html

v2.23.0 | Report a Bug | By Email