Re: Quic: the elephant in the room

Nico Williams <nico@cryptonector.com> Sun, 11 April 2021 16:46 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED393A14B1 for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 09:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U85fzXsjWuRU for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 09:46:15 -0700 (PDT)
Received: from hedgehog.birch.relay.mailchannels.net (hedgehog.birch.relay.mailchannels.net [23.83.209.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEBAD3A146B for <ietf@ietf.org>; Sun, 11 Apr 2021 09:46:15 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 46C8C32209E; Sun, 11 Apr 2021 16:46:14 +0000 (UTC)
Received: from pdx1-sub0-mail-a74.g.dreamhost.com (100-96-13-70.trex.outbound.svc.cluster.local [100.96.13.70]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 04128321917; Sun, 11 Apr 2021 16:46:12 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a74.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.13.70 (trex/6.1.1); Sun, 11 Apr 2021 16:46:14 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Plucky-Power: 4c6f26340b9437d5_1618159574110_1422492563
X-MC-Loop-Signature: 1618159574110:1185129719
X-MC-Ingress-Time: 1618159574110
Received: from pdx1-sub0-mail-a74.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTP id B48748306A; Sun, 11 Apr 2021 09:46:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=t3sTTylgEVp8RW yACe2UVuNbnoY=; b=N7j32GjJ5qpZedBc6kSNXGBTHdBo+4pko6vDO2OVrF2YJu KeLeDwgrRiFuZJipZVjRU1004oH1fwmtpcT6gXJITxR9ndEv+6FS53t71+mmm7rn mNSIkNjO4CUU0mC1lLPC9L6fdj/93b0ukBXB/jEvuyAC3pyponzx0ReqOrer0=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 60EFA7F741; Sun, 11 Apr 2021 09:46:08 -0700 (PDT)
Date: Sun, 11 Apr 2021 11:46:06 -0500
X-DH-BACKEND: pdx1-sub0-mail-a74
From: Nico Williams <nico@cryptonector.com>
To: Ben Laurie <benl=40google.com@dmarc.ietf.org>
Cc: Michael Thomas <mike@mtcc.com>, Phillip Hallam-Baker <phill@hallambaker.com>, IETF Discussion Mailing List <ietf@ietf.org>
Subject: Re: Quic: the elephant in the room
Message-ID: <20210411164605.GJ9612@localhost>
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <CABrd9STZXonBDvWB7Z36H2mD20Juubc01TUmEvpfWkvJggQVOQ@mail.gmail.com> <ab6bcbf0-646c-9f2d-5f98-fdc3e9ba27bf@mtcc.com> <CABrd9STEqvgexYKTUdFqn1zu=U2+h92_aDS6rM=8xcwibNJM3A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABrd9STEqvgexYKTUdFqn1zu=U2+h92_aDS6rM=8xcwibNJM3A@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/j-PPmDKMPtz5iI09nlTRtJ7pBes>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 16:46:25 -0000

On Sun, Apr 11, 2021 at 03:34:06PM +0100, Ben Laurie wrote:
> What I mean is that the authorities for DNS get compromised far more often
> than CAs do. Also, DNS has the same plethora of authorities with varying
> security responsibility.

When a registrar/registry gets compromised, it can issue credentials
only for things in and below its zone(s).  Customers can choose
registrars known for security.

When a WebPKI CA gets compromised, it can issue credentials for any
domainname anywhere in the DNS.  Customers can't choose to make lame CAs
not able to hurt them.

This is because one system has unyiedling name constraints, and the
other has none.  Name constraints are absolutely essential to a decent
PKI.

Nico
--