[pkng] fyi: keyassure@ mailing list - aka tls@dnssec, certs/keys-in-DNS(sec), DKI
=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 18 August 2010 23:09 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: pkng@core3.amsl.com
Delivered-To: pkng@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A12E13A67F3 for <pkng@core3.amsl.com>; Wed, 18 Aug 2010 16:09:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.92
X-Spam-Level:
X-Spam-Status: No, score=-101.92 tagged_above=-999 required=5 tests=[AWL=-0.255, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_23=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zGEFmz9K4oi8 for <pkng@core3.amsl.com>; Wed, 18 Aug 2010 16:09:02 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 561A33A67F6 for <pkng@irtf.org>; Wed, 18 Aug 2010 16:09:02 -0700 (PDT)
Received: (qmail 1625 invoked by uid 0); 18 Aug 2010 23:09:36 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 18 Aug 2010 23:09:36 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=oM9RRC6VXKjsiDjwMkVkBCS3HntZrqw4PwPUwWuMntsX9uqF9qrApwtcsT4QnHSmEfXDeX14LnTeWZ1THG3M8078oBmsLesDlLaoBpzgJi1Se2VFbVlm9UyH8jC4E2SZ;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.49.165]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OlrlI-0000xE-Cf; Wed, 18 Aug 2010 17:09:36 -0600
Message-ID: <4C6C6830.9040103@KingsMountain.com>
Date: Wed, 18 Aug 2010 16:09:36 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>, IRTF PKng WG <pkng@irtf.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Cc: ondrej.sury@nic.cz
Subject: [pkng] fyi: keyassure@ mailing list - aka tls@dnssec, certs/keys-in-DNS(sec), DKI
X-BeenThere: pkng@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Public Key Next Generation \(PKNG\) Research Group" <pkng.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/pkng>, <mailto:pkng-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/pkng>
List-Post: <mailto:pkng@irtf.org>
List-Help: <mailto:pkng-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pkng>, <mailto:pkng-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 23:09:04 -0000
Of possible interest... A new pre-BoF list (keyassure@ietf.org, see below) is discussing certs/keys-in-DNS(sec) both as a way to augment present-day PKI, and as a way to re-invent it. In addition to the various references helpfully listed below by Ondrej, there's this recent preso by Dan Kaminsky, presented a couple weeks ago at Black Hat... Black Ops of Fundamental Defense: Introducing the Domain Key Infrastructure (DKI) http://www.recursion.com/files/BlackOps-2010.pdf =JeffH ------ Subject: [keyassure] You want to read this :) (Was: Welcome to the mailing list, and possible charter.) From: ondrej.sury@nic.cz Date: Wed, 18 Aug 2010 09:50:29 +0200 To: keyassure@ietf.org (text/plain) Just to add some reading material to the mailing list archive... You may want to read: New I-D by Jakob, Paul, Warren and Adam: http://www.ietf.org/internet-drafts/draft-hoffman-keys-linkage-from-dns-00.txt Slightly older CERT RR (which we already have): http://tools.ietf.org/html/rfc4398 And various older proposals which didn't make it: (Jakob's) http://stupid.domain.name/ietf/draft-schlyter-pkix-dns-02.txt (RR TYPE request I did) http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00421.html This is just to summarize the ideas which were floating around for some time. The basis on our work will be in the most recent I-D. On 17.8.2010 19:21, Warren Kumari wrote: > Hello all, > > We are investigating starting a working group to leverage the DNSSEC > trust anchor as a trust anchor for various other protocols. We are > initially focusing on TLS, but are also interested in other > protocols. > > Just so that we are all level set, here is our initial (draft) > problem statement. > > Problem Statement: > > The DNS Security Extensions are a collection of resource records and > protocol modifications that provide source authentication for the > DNS. > > The DNSSEC signed root infrastructure provides a single, well > published trust-anchor and a method to build a chain of trust from an > individual resource record (RR) to that TA. By leveraging this > infrastructure we can securely bind information (such as a public > key, certificate identifier, etc) to a DNS name. > > Increasingly people would like to be able to take advantage of the > confidentiality and identity validation provided by protocols such as > TLS. There are numerous barriers to this, including cost, ease of > use, complexity, certificate management, etc. By allowing users to > securely publish public key information we can allow users to easily > and securely make use of self-signed certificates. > > Currently, one of the issues limiting the use of self-signed > certificates is the difficulty in key-distribution - it is infeasible > to distribute a key binding at the web scale. By providing a means to > publish (and securely validate) this information in the DNS, we allow > for users to attest to the validity of keying information and > establish trust in the published public key. > > The DNSSEC root trust anchor can also be used for additional > validation during the current path validations. By validating that > the certificate presented is the certificate identified by the DNS, > we can provide additional confidence that the client is connecting to > the intended server - this helps alleviate concerns that a valid > certificate has been obtained by an attacker (for example from a CA > not used by the victim). -- Ondřej Surý vedoucí výzkumu/Head of R&D department ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 ------------------------------------------- _______________________________________________ keyassure mailing list keyassure@ietf.org https://www.ietf.org/mailman/listinfo/keyassure
- [pkng] fyi: keyassure@ mailing list - aka tls@dns… =JeffH
- Re: [pkng] fyi: keyassure@ mailing list - aka tls… Stephen Farrell
- Re: [pkng] fyi: keyassure@ mailing list - aka tls… Paul Hoffman
- Re: [pkng] fyi: keyassure@ mailing list - aka tls… Stephen Farrell
- Re: [pkng] fyi: keyassure@ mailing list - aka tls… Massimiliano Pala