IETF Logo Mail Archive

Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC

Ben Laurie <benl@google.com> Wed, 21 November 2012 10:52 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1276021F85EA for <therightkey@ietfa.amsl.com>; Wed, 21 Nov 2012 02:52:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.925
X-Spam-Level:
X-Spam-Status: No, score=-102.925 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pabH0rLUq9L6 for <therightkey@ietfa.amsl.com>; Wed, 21 Nov 2012 02:52:15 -0800 (PST)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id A613F21F85F4 for <therightkey@ietf.org>; Wed, 21 Nov 2012 02:52:14 -0800 (PST)
Received: by mail-wi0-f178.google.com with SMTP id hm6so1472535wib.13 for <therightkey@ietf.org>; Wed, 21 Nov 2012 02:52:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5qajsulyEqw7SDQ6B5wkkq6aPp5chU9PQqVL0Lg8UQE=; b=V2QYsf60b3Gg/eIELE0F9J1puiOvNi1AURjrqqaYbCwf07jG2VMtcRj7T4lSLyBZ9P DU3m8Sb4fBC1wYXAAnsye6JqrGDUnxDLoR5rCwGpWFa5W8hA0+E+dfHh2Ec3ClEKzdGX STd9iN1rl8UbYsylz8D5JN9W8csbDAXj8cC0qnAXhmaKP0QlbBwPfIpMj5rPmPl+Tpwe YRFM54E7uRlCD30ZH7mNMVeyqajwS01xkQXu5O4Orm3PEUJtqpOMlSLi3Pc8zfVwOftQ uz8RtRxnwO7eciH/acxFKhFrwacElNY24h7ckYR5Aw6yGMtSZeKnc5K4kgCdLN0Am0Y3 FP5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=5qajsulyEqw7SDQ6B5wkkq6aPp5chU9PQqVL0Lg8UQE=; b=VwejUnPDzeqEpscuyGoHwgQkoVslpwbJe/JvV9lUZR28upVgVwlHyXkbAde2vUc5mo Gj81ORBLz0ZsoJOMuQC0BwA3o63KxKmbf1fzi4ebM6p20cjmm4YwTlMavOIL/bPdRNvh 7oPx+kM84OSmnkFUnTELTNxmG5++mVEuLabfJSb+SbgssPY7xldPeRWri6UbJjdLIrNr soim9Wst4b6RRyORN+i/FZ3vUr8/rBdg2uklKt3dJCzzPyqyBoI/xoVztXPsdVdSVOjs TgIZ6zFddKIfL0Cygvv5KidEYHAAjw76ggJElzwkNEVqn5UmBRgGuYyFs7lijPFgrgaj yONQ==
MIME-Version: 1.0
Received: by 10.180.89.234 with SMTP id br10mr19000495wib.2.1353495133439; Wed, 21 Nov 2012 02:52:13 -0800 (PST)
Received: by 10.194.51.100 with HTTP; Wed, 21 Nov 2012 02:52:13 -0800 (PST)
In-Reply-To: <CA+cU71=qQJ-mZvcFGOUJ+7QFuHK97Ost54KNXMC7g2JA_0c5Fg@mail.gmail.com>
References: <CCCDA3EA.3648F%carl@redhoundsoftware.com> <alpine.LFD.2.02.1211172246050.27902@bofh.nohats.ca> <CA+cU71=qQJ-mZvcFGOUJ+7QFuHK97Ost54KNXMC7g2JA_0c5Fg@mail.gmail.com>
Date: Wed, 21 Nov 2012 10:52:13 +0000
Message-ID: <CABrd9STHsBu+uT8Ji3-sGRL20=kveLkj119hPbzkxMbubw407w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQkRXAwMK35y6hiMFieKWjzAG0kuUsfXcX4riPxl8Zd08YIM/Qv/DqEJCa26f1lJegKLWnXbxtcRe2lewyHuzy3fiIHV6X1c4nWCNV1gzNyAeqKxZrMd0arXl4BFkorM696mlMsw0+MlVe0UholdvK6z7QuoG9OzHAgh8ag0pH6MLv3Mv3FRCX4+e10JZcOVx0LGpyqu
Cc: therightkey <therightkey@ietf.org>, Paul Wouters <paul@nohats.ca>, Carl Wallace <carl@redhoundsoftware.com>
Subject: Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2012 10:52:27 -0000

On 20 November 2012 23:47, Tom Ritter <tom@ritter.vg> wrote:
> On 17 November 2012 22:57, Paul Wouters <paul@nohats.ca> wrote:
>>
>> CT-PKIX addresses an issue where there are 600 roots and you can't
>> trust all of them (although TLSA solves that too). I'm still unsure
>> what CT-DNSSEC would solve, as just pulling history from DNS does not
>> add anything, and I have no idea how to authenticate to the CT-DNSSEC
>> audit log to start an alternative path of trust, especially if you are
>> defendining against a rogue root or rogue .com key being used secretly
>> to sign alternative records, or a compromised DNSSEC private key.
>
>
> I'd like to state what I think CT-DNSSEC would solve, and how it would work.
> I'll use .com as my example root, and google as my example CT notary.
> Hopefully I don't screw up the DNSSEC part or the CT part too much...

This looks about right to me, just one clarification. Also, as others
have said, CT-DNSSEC is probably not the right name for it!

> I submit an entry for the DS record for example.com to the .com operator.
> The operator in turn contacts google but preferably multiple notaries and
> says "This is the DS record for example.com" and google puts it into their
> log, and gives back a signed statement as proof of such.  It then enters
> this proof in some new type of record, we'll call it DSProof.  After the
> .com operator has the proof, it updates the DS and DSProof records.
>
> Now a user wants to connect securely to example.com.  They query the A
> record for example.com, and get back the response plus the RRSIG, the
> signature for the A record.  However, the client can't check the signature,
> it doesn't have the key.  I'm unsure if in implementations this query
> happens in parallel, in the same query or what - but it reaches out and gets
> the ZSK for example.com, the KSK for example.com, and the DS record for
> example.com - so it has the complete chain of keys from example.com -> .com
> -> (root).  At this point it can verify the entire chain of signatures.  But
> when it retrieves the DS record for example.com it also retrieves the
> DSProof.
>
> The client can verify that the DSProof is valid and comes from the google
> notary (I'm not 100% sure if this is a signature of a merkle path ending in
> a signature but it functions like a signature.)

In CT this is a signature from the log that is in effect a promise to
include the cert in the log. This is so that the CT log server can
respond immediately to a certificate request without having to
generate a whole new tree. We did this in the interest of reliability
and uptime (since there can only be one correct tree, it is required
that all responses from a server farm are ordered, which is
considerably more demanding than it is to store certificates for later
ordering, in short).

However, if DNSSEC servers are prepared to wait a while, sometimes,
then we could make it an actual merkle path - this was the original
design of CT, but CAs didn't like the delay.

>  The client ensures that the
> DSProof is valid and from the google notary, meaning it has an entry in the
> append-only merkel tree, which we can verify (and there are verifiers for
> it.)  That gets into the CT side of things.
>
> At this point, everything under example.com - whether it's the A record or
> the TLSA record - is signed as normal, and the signatures under example.com
> chain to a key that has been entered into a public log.  If a TLD wants to
> fraudulently sign a response for the A or TLSA record for a site, they will
> have to also enter the key into the notary.  The operator of example.com
> will be able to see there is a DS record they did not authorize in the
> notary, and can start investigations or other mitigation processes.
> (Ideally the presence of the notaries will be the deterrent against the
> attack.)
>
> I think CT-DNSSEC is important.  We've seen domain seizures before. The new
> gTLD program will open the internet to vast numbers of root operators, and
> not all of them will be competent or lack malice.  Root keys will get
> stolen.  Maybe it'll be .bugatti and not .bank but it will still happen.  We
> should build this in now, while we can flesh it out pre-widespread
> deployment of DNSSEC.
>
> -tom
>
> _______________________________________________
> therightkey mailing list
> therightkey@ietf.org
> https://www.ietf.org/mailman/listinfo/therightkey
>

v2.23.0 | Report a Bug | By Email