Re: [TLS] [saag] [pkix] Cert Enumeration and Key Assurance With DNSSEC

der Mouse <mouse@Rodents-Montreal.ORG> Tue, 05 October 2010 08:00 UTC

Return-Path: <mouse@Sparkle.Rodents-Montreal.ORG>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0086E3A6BF0; Tue, 5 Oct 2010 01:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.46
X-Spam-Level:
X-Spam-Status: No, score=-8.46 tagged_above=-999 required=5 tests=[AWL=1.528, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VKelxu700Ha; Tue, 5 Oct 2010 01:00:06 -0700 (PDT)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG [216.46.5.7]) by core3.amsl.com (Postfix) with ESMTP id 5C03A3A6A6C; Tue, 5 Oct 2010 01:00:05 -0700 (PDT)
Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id EAA11862; Tue, 5 Oct 2010 04:00:55 -0400 (EDT)
Date: Tue, 5 Oct 2010 04:00:55 -0400 (EDT)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <201010050800.EAA11862@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
X-Composition-Start-Date: Tue, 5 Oct 2010 03:51:36 -0400 (EDT)
To: pkix@ietf.org, dnsop@ietf.org, saag@ietf.org, tls@ietf.org
In-Reply-To: <79D1362B-40D5-4990-BD7F-913903837907@jpl.nasa.gov>
References: <201010050046.o950kBPe005266@fs4113.wdf.sap.corp> <79D1362B-40D5-4990-BD7F-913903837907@jpl.nasa.gov>
X-Mailman-Approved-At: Sun, 10 Oct 2010 17:22:31 -0700
Subject: Re: [TLS] [saag] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2010 08:00:07 -0000

>>> DNSSEC provides a "secure" association FROM the name TO the IP
>>> address.
>> Incorrect characterisation.  DNSSEC provides only for secure
>> distribution of DNS records.  Whether the distributed DNS records
>> are accurate or trustworthy is a completely distinct issue.
> I think secure distribution of DNS records implies secure
> distribution of name to IP associations.

Yes, it does, name-to-IP associations being one of the major things the
DNS is used for.

But the original statement was that DNSSEC provides "secure"
association from name to IP.  This is a stronger property than
providing secure distribution of name-to-IP mapping information; it
also implies that the creation of that information and its injection
into the distribution mechanisms are "secure" (whatever that means - I
note that none of these say what they are talking about being secure
against; perhaps I'm just missing context).

> Is a 3rd party CA is more or less (likely to be) trustworthy than the
> relevant domain administrator?

There are (at least moderately) common scenarios in which it's the one
way around; there are other similarly common scenarios in which it's
the other - at least for most types of trust; again, this doesn't give
much hint of the threat model of interest.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse@rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B