Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
Tom Ritter <tom@ritter.vg> Tue, 20 November 2012 23:47 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B08BB21F8815 for <therightkey@ietfa.amsl.com>; Tue, 20 Nov 2012 15:47:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ph8uzax3ycJh for <therightkey@ietfa.amsl.com>; Tue, 20 Nov 2012 15:47:31 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7962621F8819 for <therightkey@ietf.org>; Tue, 20 Nov 2012 15:47:31 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id fw7so4867943vcb.31 for <therightkey@ietf.org>; Tue, 20 Nov 2012 15:47:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=jeeObW19s0Ph/pK0/32730FAAE49dEUcmSWVs52IYWA=; b=wpPyb3Q2flKGbP1hmw8pkUGmHt9CvjMM1/8HARDV/nxs282sphx2r5p515BGlMmx1a g3wib2Mg+aa9accgbAEFHXCCXUQW7/9kOqV96z5ewLCxRQaYbnGCfbWS+6I0fSx3iOp8 FS4uizJeBrMDeFgKjljXREHEV4x88g7fW57sU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=jeeObW19s0Ph/pK0/32730FAAE49dEUcmSWVs52IYWA=; b=CmEsiPXjSxyn03wbHH2P6yP0UM5zZYaiLogHuF+bMY3q4vGRcdlcUjz9wWMisI9Si+ HJNGjyagAnxsnuVYQeklTIgZlJS7NJDbMo6tt7Na3CuLzAUGTfXz82I/iyjaa5ooYDgF M7CHpiq9ua0sZ4fN3jPzHhqThuRyoVC3Eb3hHtSXmy94vbCIebWDIZ4H4r6VBJ/1Y1Fg wzLBjZKSRP/elPEiB0PulQSZF5Ibx/oE17YQDq1s5ftjQNgWeiGZD2hw2ASdBajSq2yj h5d4pl3hr+tLhqaKmmgBTL75GhLRyC/lgjB+9KRqHe+KB2h6XB59BB90PEYftxpXLPwo C/rg==
Received: by 10.52.72.42 with SMTP id a10mr22920341vdv.48.1353455250631; Tue, 20 Nov 2012 15:47:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.227.65 with HTTP; Tue, 20 Nov 2012 15:47:09 -0800 (PST)
In-Reply-To: <alpine.LFD.2.02.1211172246050.27902@bofh.nohats.ca>
References: <CCCDA3EA.3648F%carl@redhoundsoftware.com> <alpine.LFD.2.02.1211172246050.27902@bofh.nohats.ca>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 20 Nov 2012 18:47:09 -0500
Message-ID: <CA+cU71=qQJ-mZvcFGOUJ+7QFuHK97Ost54KNXMC7g2JA_0c5Fg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="20cf307f362c6eec8704cef5db20"
X-Gm-Message-State: ALoCoQmsdKjC2Yp3d0ot86cRC9LtWZ1Hp0R8g28WuEtP6JzUVWfVRcGRJZTUPimlry7QSI9sA24b
Cc: therightkey <therightkey@ietf.org>, Carl Wallace <carl@redhoundsoftware.com>
Subject: Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2012 23:47:33 -0000
On 17 November 2012 22:57, Paul Wouters <paul@nohats.ca> wrote: > CT-PKIX addresses an issue where there are 600 roots and you can't > trust all of them (although TLSA solves that too). I'm still unsure > what CT-DNSSEC would solve, as just pulling history from DNS does not > add anything, and I have no idea how to authenticate to the CT-DNSSEC > audit log to start an alternative path of trust, especially if you are > defendining against a rogue root or rogue .com key being used secretly > to sign alternative records, or a compromised DNSSEC private key. I'd like to state what I think CT-DNSSEC would solve, and how it would work. I'll use .com as my example root, and google as my example CT notary. Hopefully I don't screw up the DNSSEC part or the CT part too much... I submit an entry for the DS record for example.com to the .com operator. The operator in turn contacts google but preferably multiple notaries and says "This is the DS record for example.com" and google puts it into their log, and gives back a signed statement as proof of such. It then enters this proof in some new type of record, we'll call it DSProof. After the .com operator has the proof, it updates the DS and DSProof records. Now a user wants to connect securely to example.com. They query the A record for example.com, and get back the response plus the RRSIG, the signature for the A record. However, the client can't check the signature, it doesn't have the key. I'm unsure if in implementations this query happens in parallel, in the same query or what - but it reaches out and gets the ZSK for example.com, the KSK for example.com, and the DS record for example.com - so it has the complete chain of keys from example.com -> .com -> (root). At this point it can verify the entire chain of signatures. But when it retrieves the DS record for example.com it also retrieves the DSProof. The client can verify that the DSProof is valid and comes from the google notary (I'm not 100% sure if this is a signature of a merkle path ending in a signature but it functions like a signature.) The client ensures that the DSProof is valid and from the google notary, meaning it has an entry in the append-only merkel tree, which we can verify (and there are verifiers for it.) That gets into the CT side of things. At this point, everything under example.com - whether it's the A record or the TLSA record - is signed as normal, and the signatures under example.comchain to a key that has been entered into a public log. If a TLD wants to fraudulently sign a response for the A or TLSA record for a site, they will have to also enter the key into the notary. The operator of example.com will be able to see there is a DS record they did not authorize in the notary, and can start investigations or other mitigation processes. (Ideally the presence of the notaries will be the deterrent against the attack.) I think CT-DNSSEC is important. We've seen domain seizures before. The new gTLD program will open the internet to vast numbers of root operators, and not all of them will be competent or lack malice. Root keys will get stolen. Maybe it'll be .bugatti and not .bank but it will still happen. We should build this in now, while we can flesh it out pre-widespread deployment of DNSSEC. -tom
- [therightkey] Defining CT-for-PKIX and CT-for-DNS… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Shumon Huque
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Richard L. Barnes
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Wouters
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Hoffman
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Paul Wouters
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Carl Wallace
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Tom Ritter
- Re: [therightkey] Defining CT-for-PKIX and CT-for… Ben Laurie