Re: Security for various IETF services

Theodore Ts'o <tytso@mit.edu> Fri, 11 April 2014 00:57 UTC

Return-Path: <tytso@thunk.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C97911A03A4 for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 17:57:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.063
X-Spam-Level:
X-Spam-Status: No, score=-2.063 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LoT-bhaHY2O for <ietf@ietfa.amsl.com>; Thu, 10 Apr 2014 17:57:29 -0700 (PDT)
Received: from imap.thunk.org (imap.thunk.org [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by ietfa.amsl.com (Postfix) with ESMTP id 74E0D1A0258 for <ietf@ietf.org>; Thu, 10 Apr 2014 17:57:18 -0700 (PDT)
Received: from root (helo=closure.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.80) (envelope-from <tytso@thunk.org>) id 1WYPmL-0007SU-SV; Fri, 11 Apr 2014 00:57:13 +0000
Received: by closure.thunk.org (Postfix, from userid 15806) id 396AD5802B6; Thu, 10 Apr 2014 20:57:12 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=thunk.org; s=mail; t=1397177832; bh=gRV2EQLXyPwCxmph9mmxLe3OlHydJOsg7SAPAuaR3bc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=mqF5SNeBXQcomigQzD9IT5rV4nTvBZUwnBsUmQS/9/xSwLnrQFWpPFz/qgM4TMFHZ Vx8THLRmvesK09v9E2vCNOBWlskH2ogPTvRiUmILuA5IClj+wTG/F2ppfHR3G8iLZ3 fZ5n/JvvSxQ5kIgmWQB7vNl0v89w8+o/R24kkFmU=
Date: Thu, 10 Apr 2014 20:57:12 -0400
From: Theodore Ts'o <tytso@mit.edu>
To: Mark Andrews <marka@isc.org>
Subject: Re: Security for various IETF services
Message-ID: <20140411005712.GA29956@thunk.org>
References: <20140409154919.11E6118C106@mercury.lcs.mit.edu> <534580AF.4080602@dcrocker.net> <20140409200814.GA15303@thunk.org> <3C46B827-BFFC-4A9E-B600-A1E79C839970@shinkuro.com> <20140410141406.GF15925@thunk.org> <20140411003231.F1A171365D59@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140411003231.F1A171365D59@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/snK2WazI4qU0EBlJlW_-agF-AaM
Cc: Noel Chiappa <jnc@mercury.lcs.mit.edu>, ietf@ietf.org, David Crocker <dcrocker@bbiw.net>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Apr 2014 00:57:38 -0000

On Fri, Apr 11, 2014 at 10:32:31AM +1000, Mark Andrews wrote:
> No quite the same.  A CA could issue a cert without any checking
> for any domain.  Here you need to be the registrar of record to add
> records to the registry.  Also a registry can only add records for
> the namespace it manages not any arbitary name.
> 
> So to get a bad DS added you need to be a corrupt registry or a
> corrupt employee of registry or you need to compromise the registrants
> credentials or you need to succeed in transfering the zone to you.

Or you have to be the corrupt registry operator or an employee for the
registry operator (i.e., Verisign for the .com domain)....

    	 	       		    	- Ted