Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

"Henry B. Hotz" <hotz@jpl.nasa.gov> Tue, 05 October 2010 06:31 UTC

Return-Path: <hotz@jpl.nasa.gov>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1241A3A6CC4; Mon, 4 Oct 2010 23:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uN4NsaD2zTzW; Mon, 4 Oct 2010 23:31:28 -0700 (PDT)
Received: from mail.jpl.nasa.gov (sentrion3.jpl.nasa.gov [128.149.139.109]) by core3.amsl.com (Postfix) with ESMTP id 224C03A6A03; Mon, 4 Oct 2010 23:31:27 -0700 (PDT)
Received: from [192.168.2.2] (netblock-72-25-120-25.dslextreme.com [72.25.120.25]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id o956WJUv003565 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Mon, 4 Oct 2010 23:32:21 -0700
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <201010050046.o950kBPe005266@fs4113.wdf.sap.corp>
Date: Mon, 4 Oct 2010 23:32:19 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <79D1362B-40D5-4990-BD7F-913903837907@jpl.nasa.gov>
References: <201010050046.o950kBPe005266@fs4113.wdf.sap.corp>
To: "mrex@sap.com" <mrex@sap.com>
X-Mailer: Apple Mail (2.1081)
X-Source-IP: netblock-72-25-120-25.dslextreme.com [72.25.120.25]
X-Source-Sender: hotz@jpl.nasa.gov
X-Spamclassfication-Commtouch: not spam
X-SpamRefId: str=0001.0A090204.4CAAC677.006E,ss=1,fgs=0
X-Mailman-Approved-At: Sun, 10 Oct 2010 17:22:31 -0700
Cc: "pkix@ietf.org" <pkix@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Michael StJohns <mstjohns@comcast.net>, "saag@ietf.org" <saag@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2010 06:31:30 -0000

On Oct 4, 2010, at 5:46 PM, Martin Rex wrote:

>> DNSSEC provides a "secure" association FROM the name TO the IP address.
>> But the DNS domain owner tends not to be the host owner so this asserted
>> association may not reflect the intent of the host owner.
>> Also, DNSSEC doesn't protect from IP hijacking (re-routing).
> 
> Incorrect characterisation.  DNSSEC provides only for secure distribution
> of DNS records.  Whether the distributed DNS records are accurate or
> trustworthy is a completely distinct issue.


I think secure distribution of DNS records implies secure distribution of name to IP associations.  

Whether those records are <whatever/> depends on the practices of the domain administrator.  Is a 3rd party CA is more or less (likely to be) trustworthy than the relevant domain administrator?

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu