Re: [keyassure] Objective: Restrictive versus Supplementary Models

James Cloos <> Wed, 30 March 2011 15:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 641203A6932 for <>; Wed, 30 Mar 2011 08:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[AWL=0.720, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p2bfKVnx86B4 for <>; Wed, 30 Mar 2011 08:59:19 -0700 (PDT)
Received: from ( [IPv6:2001:1938:12d::53]) by (Postfix) with ESMTP id 15B2F3A6917 for <>; Wed, 30 Mar 2011 08:59:19 -0700 (PDT)
Received: by (Postfix, from userid 10) id 401A84010B; Wed, 30 Mar 2011 16:00:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=eagle; t=1301500856; bh=6d7mxX2Sd1i8s8OlKQwJGsuXWG3ba0TJL87PyIrqQ3g=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=dTIpNxKT4/MUI93GFsenfsaG5s22D86AxZcmb+41YRw5llITsgTBJJqmo20oCi4mn WKFmSbRMm3Mc53ClfSybabvA7KFnwQl74tx3v2Ck2jAYSjqwncHlTxDWdjXpqcFDaL o4JBrDuqTZlXnjVUFwohq3C3oA0JzWNomjkbrmJ8=
Received: by (Postfix, from userid 500) id B0296260042; Wed, 30 Mar 2011 15:52:41 +0000 (UTC)
From: James Cloos <>
In-Reply-To: <> (Eric Rescorla's message of "Wed, 30 Mar 2011 10:48:53 +0200")
References: <>
User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux)
Copyright: Copyright 2011 James Cloos
OpenPGP: ED7DAEA6; url=
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Wed, 30 Mar 2011 11:52:41 -0400
Message-ID: <>
Lines: 40
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Mar 2011 15:59:20 -0000

>>>>> "ER" == Eric Rescorla <> writes:

ER> 1. Protecting against CA mis-issue (as in CA/cert lock).

I hadn't though of doing this as Eric later describes (such that dnssec
isn't required for this usage).

I can understand how even an unsigned specification that a resource
uses this-and-only-this CA might be an improvement over the status quo.

But isn't false RR injection combined with a matching false cert chain
still a relevant problem in that scenario?

Perhaps the rfc should spec that, but with a threat analysis.

ER> 2. Allowing TLS to work without getting a certificate from one
ER>    of the established trust anchors.

The above said, this is my primary motivation.  Commercial trust anchors
provide little value and significant burden.  

It isn't just about "convenience".

Obviously there is still a lot of third-party trust involved.  You have
to trust that the DS RRs are properly handled by the registrars, root &
tld zone operators, et al.

But we already have to trust them to do the same with the NS glue RRs.

Ie, if the NS glue is mishandled the game is over anyway.  So why not
trust them correctly to handle the DS glue, too?

The one thing that does become significantly more convenient, though,
is more frequent rollover.

Eric's second scenario should be DANE's primary mission.

James Cloos <>         OpenPGP: 1024D/ED7DAEA6