Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Tony Finch <dot@dotat.at> Sun, 03 October 2010 12:15 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D0133A6C50; Sun, 3 Oct 2010 05:15:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.666
X-Spam-Level:
X-Spam-Status: No, score=-2.666 tagged_above=-999 required=5 tests=[AWL=-1.463, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FO0E0Vy4UUv5; Sun, 3 Oct 2010 05:15:23 -0700 (PDT)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) by core3.amsl.com (Postfix) with ESMTP id BEE7B3A6BD7; Sun, 3 Oct 2010 05:15:20 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from [87.115.122.141] (port=57857 helo=[192.168.1.5]) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:587) with esmtpsa (PLAIN:fanf2) (TLSv1:AES128-SHA:128) id 1P2NUB-0007M5-Yp (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Sun, 03 Oct 2010 13:16:12 +0100
References: <AANLkTinRWJZr7huuG+Ovh3sCCUnVZAghggAzmq7g6ERx@mail.gmail.com> <1285970705.1984.136.camel@mattlaptop2.local> <AANLkTi=cD1E=QoD3uRyhHyd6bUSgd9_ibgdM5iy1+9TR@mail.gmail.com> <AANLkTimtc1aT0r+oTJYpjixTSiE+gwpORszjPYz7y7PE@mail.gmail.com> <4CA7E120.6080701@extendedsubset.com>
In-Reply-To: <4CA7E120.6080701@extendedsubset.com>
Mime-Version: 1.0 (iPhone Mail 8B117)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Message-Id: <B7C7EE71-D872-403F-A0F4-7622BABC4C3D@dotat.at>
X-Mailer: iPhone Mail (8B117)
From: Tony Finch <dot@dotat.at>
Date: Sun, 3 Oct 2010 13:15:54 +0100
To: Marsh Ray <marsh@extendedsubset.com>
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
X-Mailman-Approved-At: Sun, 03 Oct 2010 13:20:19 -0700
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "pkix@ietf.org" <pkix@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Oct 2010 12:15:30 -0000

On 3 Oct 2010, at 02:49, Marsh Ray <marsh@extendedsubset.com> wrote:
> 
> In the meantime, we'd end up with the DNS root effectively having the power of yet another CA. Except that it's not, because the various arms of ICANN and VeriSign/Symantec are probably already trusted many times over.

I agree with your points about the difficulty of rolling out DNSSEC key assurance and its coexistence with PKIX.

But the above is a bit off-base, because the DNS has a lot of structural constraints that make it weaker than a CA. Although in theory the root zone operators could steal any arbitrary name, the organisational checks and balances prevent that. CAs have no significant external checks and balances. For example they don't have the equivalent of whois that allows third parties to check who has been issued a certificate for a particular name.

Tony.
--
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/