IETF Logo Mail Archive

Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC

Carl Wallace <carl@redhoundsoftware.com> Sat, 17 November 2012 21:50 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F13B21F8467 for <therightkey@ietfa.amsl.com>; Sat, 17 Nov 2012 13:50:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cAeTrzRIq+qg for <therightkey@ietfa.amsl.com>; Sat, 17 Nov 2012 13:50:17 -0800 (PST)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id F34BC21F8466 for <therightkey@ietf.org>; Sat, 17 Nov 2012 13:50:16 -0800 (PST)
Received: by mail-vb0-f44.google.com with SMTP id fc26so4345058vbb.31 for <therightkey@ietf.org>; Sat, 17 Nov 2012 13:50:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :in-reply-to:mime-version:content-type:content-transfer-encoding :x-gm-message-state; bh=eZ/VA2COp16JjTdy+GORho+DyrpxWsMa6EuzEkWJ/mA=; b=OEAFLXc5nDNu6ajpTgjP3VWJBYch/senSyt6aiK8l/X49h4IvaqG/tLDKkAGGvkMmM PPfcRG77s4vCjnNNyo533whIlckSI3AFagreJJJRjUo4UJ/MZsuvLj4hmaFxVLGbUqoh 8TXvhJt7RtbXGjsPrm5WKsYo/0du/AR3bLE7o6/Buq5IbUZPtBRg1O202casIZ6h7y22 /GHh/mmMrurhhy+k0cp7SiHgJdlLOEfDB45BJC/O5mHIxUnJLRQA2O6HyW4esA5oxX8U 6JtKzuxzoRO65GEr8vuK6z7SxxLPFoA9kwFgkgjCoHtgm1wIFrsWkDGz0y2pmA4rPmmn sxfg==
Received: by 10.59.6.39 with SMTP id cr7mr11009139ved.17.1353189016273; Sat, 17 Nov 2012 13:50:16 -0800 (PST)
Received: from [192.168.2.6] (pool-173-79-110-220.washdc.fios.verizon.net. [173.79.110.220]) by mx.google.com with ESMTPS id l15sm3156046vdt.14.2012.11.17.13.50.13 (version=SSLv3 cipher=OTHER); Sat, 17 Nov 2012 13:50:15 -0800 (PST)
User-Agent: Microsoft-MacOutlook/14.2.5.121010
Date: Sat, 17 Nov 2012 16:50:12 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, "Richard L. Barnes" <rbarnes@bbn.com>
Message-ID: <CCCD7038.36484%carl@redhoundsoftware.com>
Thread-Topic: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
In-Reply-To: <2603023B-FBA3-433D-82BF-A742BC43FB66@vpnc.org>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-Gm-Message-State: ALoCoQl0QeORSZzbcrL7+4o8E8BfMrlz0zNvxMACUasJK2w8twI0z6bZ5dHgpJrB8LawszzqTB2J
Cc: therightkey@ietf.org
Subject: Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Nov 2012 21:50:18 -0000

On 11/17/12 2:37 PM, "Paul Hoffman" <paul.hoffman@vpnc.org> wrote:

>On Nov 17, 2012, at 11:32 AM, "Richard L. Barnes" <rbarnes@bbn.com> wrote:
>
>>>> CT-for-PKIX helps a web site administrator determine if a trusted CA
>>>>ever issued a certificate that should not have been issued.
>>>> 
>>>> CT-for-DNSSEC helps a DNS zone administrator determine whether a DNS
>>>>server in the hierarchy above the leaf zone ever included a DS record
>>>>that should not have been included.
>>>> 
>>>> It would be good to have agreement on the above; feel free to offer
>>>>changes and see if the authors agree. Then we can talk about the
>>>>relationship between the two.
>>>> 
>>> 
>>> Sounds reasonable to me.
>>> 
>>> Does "CT" need to be renamed for DNSSEC? Since we're talking about
>>> transparency of delegation records/keys and not X.509 certificates.
>>> If C means "certification" in the general sense, then I suppose it
>>> might still be applicable since a (signed) DS record certifies the
>>> authenticity of the secure entry point key in a subordinate zone.
>> 
>> "DST"?
>> 
>> The definitions sound reasonable, but I'm at a loss as to why you would
>>bother with "CT-for-DNSSEC".  The whole point of CT is that the space of
>>X.509 issuers is very large, and the certificates can be presented by
>>any server on the Internet.    It's a hassle to check every, say, HTTPS
>>server on the Internet to see if a cert with your name is being provided.
>> 
>> In DNSSEC, the set of "issuers" is very small (parent domains), and the
>>DS records originate from a well-defined set of sources (authoritative
>>servers for those domains).  Checking those servers is not that much
>>more difficult than checking a CT log, and doesn't require any new
>>protocol.
>
>Maybe you missed the earlier discussion of this in the past few days.
>
>Rogue DS records might not be detectable to the party with the leaf
>record. For example, assume the domain name example.newtld. The owner of
>example has put DS record A in the newtld zone. If the owner of newtld
>goes rogue and shows DS record B to a limited number of requests (such as
>to a particular geographic region or set of network addresses), the party
>with the private key associated with B can spoof example, and the owner
>of example would not know unless he could see B.

Who is intended to be able to contribute to the log?  It seems like for
this to provide the desired visibility, any client should be able to.  For
CT, at least, I thought this was not to be the case.

v2.23.0 | Report a Bug | By Email