Re: [TLS] [saag] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Yaron Sheffer <> Wed, 06 October 2010 21:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 13B023A7147; Wed, 6 Oct 2010 14:17:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.449
X-Spam-Status: No, score=-102.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QnxdQCLQqM6P; Wed, 6 Oct 2010 14:16:59 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 053223A71E5; Wed, 6 Oct 2010 14:16:57 -0700 (PDT)
Received: by fxm6 with SMTP id 6so9814fxm.31 for <multiple recipients>; Wed, 06 Oct 2010 14:17:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=lnSVHYR12MIJciOaVQlrO+vYpkQLQPf2U6qFCEiOJTk=; b=XwE6DBl33CHleM9lZrdO/+9g8Xzn0WGh8HdbmLN8QorQogLysEQffyg+DbD6mPLC50 CYFU4T1+nWmZyJr+PWjoEKCi+WHWkvQtUTRa8/7V6hAAbWFwfzxf/y10oPrICYt6QdVJ Ynq4/uZYPLA+n/q1yW6fvpIDalV2ZE+K0S/I4=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=MQoYHjh4DcF5HgD8Aaof+J4O3py1qPT2dGDcpte6qSksVz6vLM1xCW91p/walRjDL4 U3cpm24VjjhJjfSZfrq37K55eZsQE6rrBwk34AjKtsR6tYc1pIJSdceO1sVJi9HtXOdx +Eve86cB8oL+q3ks7og5SYd/VArhoucMhejeQ=
Received: by with SMTP id j13mr13126150fap.39.1286399872972; Wed, 06 Oct 2010 14:17:52 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id u8sm686757fah.36.2010. (version=SSLv3 cipher=RC4-MD5); Wed, 06 Oct 2010 14:17:51 -0700 (PDT)
Message-ID: <>
Date: Wed, 06 Oct 2010 23:17:47 +0200
From: Yaron Sheffer <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100915 Lightning/1.0b1 Thunderbird/3.0.8
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc:,, Michael StJohns <>,,
Subject: Re: [TLS] [saag] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Oct 2010 21:17:00 -0000

People keep referring to the 100+ vendor CA jungle. It is somewhat 
impolite to point it out, but there are very few major vendors in this 
space, and these vendors have been implicated in some of the most 
publicized attacks. In some cases, hiding behind a "low-cost" brand name.

In other words, the problem with the TLS PKI is not (only) the small fish.


On 10/05/2010 02:46 AM, Martin Rex wrote:
> Conceptually, limiting the certificates that can be used to provide
> servers on specific DNS hostnames to certificates explicitly listed
> by the DNS admin would significantly reduce the huge attack surface
> of the existing "TLS PKI" with>100 independent pre-configured
> trust-anchors in most TLS client software.