Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
Ben Laurie <benl@google.com> Wed, 21 November 2012 10:52 UTC
Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1276021F85EA for <therightkey@ietfa.amsl.com>; Wed, 21 Nov 2012 02:52:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.925
X-Spam-Level:
X-Spam-Status: No, score=-102.925 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pabH0rLUq9L6 for <therightkey@ietfa.amsl.com>; Wed, 21 Nov 2012 02:52:15 -0800 (PST)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id A613F21F85F4 for <therightkey@ietf.org>; Wed, 21 Nov 2012 02:52:14 -0800 (PST)
Received: by mail-wi0-f178.google.com with SMTP id hm6so1472535wib.13 for <therightkey@ietf.org>; Wed, 21 Nov 2012 02:52:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5qajsulyEqw7SDQ6B5wkkq6aPp5chU9PQqVL0Lg8UQE=; b=V2QYsf60b3Gg/eIELE0F9J1puiOvNi1AURjrqqaYbCwf07jG2VMtcRj7T4lSLyBZ9P DU3m8Sb4fBC1wYXAAnsye6JqrGDUnxDLoR5rCwGpWFa5W8hA0+E+dfHh2Ec3ClEKzdGX STd9iN1rl8UbYsylz8D5JN9W8csbDAXj8cC0qnAXhmaKP0QlbBwPfIpMj5rPmPl+Tpwe YRFM54E7uRlCD30ZH7mNMVeyqajwS01xkQXu5O4Orm3PEUJtqpOMlSLi3Pc8zfVwOftQ uz8RtRxnwO7eciH/acxFKhFrwacElNY24h7ckYR5Aw6yGMtSZeKnc5K4kgCdLN0Am0Y3 FP5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=5qajsulyEqw7SDQ6B5wkkq6aPp5chU9PQqVL0Lg8UQE=; b=VwejUnPDzeqEpscuyGoHwgQkoVslpwbJe/JvV9lUZR28upVgVwlHyXkbAde2vUc5mo Gj81ORBLz0ZsoJOMuQC0BwA3o63KxKmbf1fzi4ebM6p20cjmm4YwTlMavOIL/bPdRNvh 7oPx+kM84OSmnkFUnTELTNxmG5++mVEuLabfJSb+SbgssPY7xldPeRWri6UbJjdLIrNr soim9Wst4b6RRyORN+i/FZ3vUr8/rBdg2uklKt3dJCzzPyqyBoI/xoVztXPsdVdSVOjs TgIZ6zFddKIfL0Cygvv5KidEYHAAjw76ggJElzwkNEVqn5UmBRgGuYyFs7lijPFgrgaj yONQ==
MIME-Version: 1.0
Received: by 10.180.89.234 with SMTP id br10mr19000495wib.2.1353495133439; Wed, 21 Nov 2012 02:52:13 -0800 (PST)
Received: by 10.194.51.100 with HTTP; Wed, 21 Nov 2012 02:52:13 -0800 (PST)
In-Reply-To: <CA+cU71=qQJ-mZvcFGOUJ+7QFuHK97Ost54KNXMC7g2JA_0c5Fg@mail.gmail.com>
References: <CCCDA3EA.3648F%carl@redhoundsoftware.com> <alpine.LFD.2.02.1211172246050.27902@bofh.nohats.ca> <CA+cU71=qQJ-mZvcFGOUJ+7QFuHK97Ost54KNXMC7g2JA_0c5Fg@mail.gmail.com>
Date: Wed, 21 Nov 2012 10:52:13 +0000
Message-ID: <CABrd9STHsBu+uT8Ji3-sGRL20=kveLkj119hPbzkxMbubw407w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQkRXAwMK35y6hiMFieKWjzAG0kuUsfXcX4riPxl8Zd08YIM/Qv/DqEJCa26f1lJegKLWnXbxtcRe2lewyHuzy3fiIHV6X1c4nWCNV1gzNyAeqKxZrMd0arXl4BFkorM696mlMsw0+MlVe0UholdvK6z7QuoG9OzHAgh8ag0pH6MLv3Mv3FRCX4+e10JZcOVx0LGpyqu
Cc: therightkey <therightkey@ietf.org>, Paul Wouters <paul@nohats.ca>, Carl Wallace <carl@redhoundsoftware.com>
Subject: Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2012 10:52:27 -0000
On 20 November 2012 23:47, Tom Ritter <tom@ritter.vg> wrote: > On 17 November 2012 22:57, Paul Wouters <paul@nohats.ca> wrote: >> >> CT-PKIX addresses an issue where there are 600 roots and you can't >> trust all of them (although TLSA solves that too). I'm still unsure >> what CT-DNSSEC would solve, as just pulling history from DNS does not >> add anything, and I have no idea how to authenticate to the CT-DNSSEC >> audit log to start an alternative path of trust, especially if you are >> defendining against a rogue root or rogue .com key being used secretly >> to sign alternative records, or a compromised DNSSEC private key. > > > I'd like to state what I think CT-DNSSEC would solve, and how it would work. > I'll use .com as my example root, and google as my example CT notary. > Hopefully I don't screw up the DNSSEC part or the CT part too much... This looks about right to me, just one clarification. Also, as others have said, CT-DNSSEC is probably not the right name for it! > I submit an entry for the DS record for example.com to the .com operator. > The operator in turn contacts google but preferably multiple notaries and > says "This is the DS record for example.com" and google puts it into their > log, and gives back a signed statement as proof of such. It then enters > this proof in some new type of record, we'll call it DSProof. After the > .com operator has the proof, it updates the DS and DSProof records. > > Now a user wants to connect securely to example.com. They query the A > record for example.com, and get back the response plus the RRSIG, the > signature for the A record. However, the client can't check the signature, > it doesn't have the key. I'm unsure if in implementations this query > happens in parallel, in the same query or what - but it reaches out and gets > the ZSK for example.com, the KSK for example.com, and the DS record for > example.com - so it has the complete chain of keys from example.com -> .com > -> (root). At this point it can verify the entire chain of signatures. But > when it retrieves the DS record for example.com it also retrieves the > DSProof. > > The client can verify that the DSProof is valid and comes from the google > notary (I'm not 100% sure if this is a signature of a merkle path ending in > a signature but it functions like a signature.) In CT this is a signature from the log that is in effect a promise to include the cert in the log. This is so that the CT log server can respond immediately to a certificate request without having to generate a whole new tree. We did this in the interest of reliability and uptime (since there can only be one correct tree, it is required that all responses from a server farm are ordered, which is considerably more demanding than it is to store certificates for later ordering, in short). However, if DNSSEC servers are prepared to wait a while, sometimes, then we could make it an actual merkle path - this was the original design of CT, but CAs didn't like the delay. > The client ensures that the > DSProof is valid and from the google notary, meaning it has an entry in the > append-only merkel tree, which we can verify (and there are verifiers for > it.) That gets into the CT side of things. > > At this point, everything under example.com - whether it's the A record or > the TLSA record - is signed as normal, and the signatures under example.com > chain to a key that has been entered into a public log. If a TLD wants to > fraudulently sign a response for the A or TLSA record for a site, they will > have to also enter the key into the notary. The operator of example.com > will be able to see there is a DS record they did not authorize in the > notary, and can start investigations or other mitigation processes. > (Ideally the presence of the notaries will be the deterrent against the > attack.) > > I think CT-DNSSEC is important. We've seen domain seizures before. The new > gTLD program will open the internet to vast numbers of root operators, and > not all of them will be competent or lack malice. Root keys will get > stolen. Maybe it'll be .bugatti and not .bank but it will still happen. We > should build this in now, while we can flesh it out pre-widespread > deployment of DNSSEC. > > -tom > > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey >
- [therightkey] Defining CT-for-PKIX and CT-for-DNS… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Shumon Huque
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Richard L. Barnes
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Wouters
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Wouters
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Tom Ritter
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie