Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Ondřej Surý <ondrej.sury@nic.cz> Tue, 05 October 2010 16:50 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C24E3A6FDD; Tue, 5 Oct 2010 09:50:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.917
X-Spam-Level:
X-Spam-Status: No, score=-0.917 tagged_above=-999 required=5 tests=[AWL=-0.014, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DznwKE+wEkb; Tue, 5 Oct 2010 09:48:31 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by core3.amsl.com (Postfix) with ESMTP id 6BB283A6CE1; Tue, 5 Oct 2010 09:48:30 -0700 (PDT)
Received: from [10.168.66.81] (89-24-7-50.i4g.tmcz.cz [89.24.7.50]) by mail.nic.cz (Postfix) with ESMTPA id B87767343EE; Tue, 5 Oct 2010 18:49:26 +0200 (CEST)
References: <AANLkTinRWJZr7huuG+Ovh3sCCUnVZAghggAzmq7g6ERx@mail.gmail.com> <1285970705.1984.136.camel@mattlaptop2.local> <AANLkTi=cD1E=QoD3uRyhHyd6bUSgd9_ibgdM5iy1+9TR@mail.gmail.com> <AANLkTimtc1aT0r+oTJYpjixTSiE+gwpORszjPYz7y7PE@mail.gmail.com> <C1A47F1540DF3246A8D30C853C05D0DA0341EC56@DABECK.missi.ncsc.mil>
In-Reply-To: <C1A47F1540DF3246A8D30C853C05D0DA0341EC56@DABECK.missi.ncsc.mil>
Mime-Version: 1.0 (iPhone Mail 8B117)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Message-Id: <60283F04-0795-46E9-AE42-58EA099A9BF5@nic.cz>
X-Mailer: iPhone Mail (8B117)
From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= <ondrej.sury@nic.cz>
Date: Tue, 5 Oct 2010 18:49:26 +0200
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "pkix@ietf.org" <pkix@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2010 16:50:27 -0000

You are working on wrong assumptions. The DV certs are exactly as strong as your DNS is. You only need to attack DNS to issue a DV cert.

Ondrej Sury

On 5.10.2010, at 18:32, "Kemp, David P." <DPKemp@missi.ncsc.mil> wrote:

> You are confusing attack surface with vulnerability.  Without getting
> into technology specifics, if A .and. B must be successfully attacked in
> order to cause a problem, then having two systems can only reduce the
> vulnerability even though there are more places to attack.
> 
> If the problem is availability, then the best strategy is redundancy -
> use multiple sources for a single information item.  If the problem is
> integrity, the best strategy is diversity - use different sources for
> different information items.  If either source gives the wrong answer
> you fail, but fail safely.  (Redundancy and diversity can be combined of
> course, but then combining rules such voting thresholds have to be
> specified). 
> 
> For the DNS/PKI case, if A is an IP address for a dnsname and B is a
> public key for a dnsname, then it is necessary to attack the sources of
> A and B in order to successfully spoof a named server.  If A and B come
> from the same system (e.g., DNS) it is necessary to attack only that
> system.  If they come from different systems (DNS and PKI) then it is
> necessary to attack both.  Attacking only one may cause an availability
> failure, but not an integrity failure.
> 
> Dave
> 
> 
> -----Original Message-----
> From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of
> Ben Laurie
> 
> 
> If I deploy the DNS solution, stating that DNS is authoritative, then
> my attack surface now excludes all CAs. How is that an increase in
> attack surface?
> 
> Contrast with today's situation, where my attack surface is increased
> on a regular basis by the introduction of new CAs, without any
> consultation with me at all.
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix