Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Martin Rex <mrex@sap.com> Tue, 05 October 2010 19:46 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 91A923A6E62; Tue, 5 Oct 2010 12:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.866
X-Spam-Level:
X-Spam-Status: No, score=-9.866 tagged_above=-999 required=5 tests=[AWL=0.383, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xDHy26W5LDr; Tue, 5 Oct 2010 12:46:01 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 698EC3A6DF6; Tue, 5 Oct 2010 12:46:00 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o95JkuHP024701 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 5 Oct 2010 21:46:57 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201010051946.o95JkteM009316@fs4113.wdf.sap.corp>
To: hallam@gmail.com (Phillip Hallam-Baker)
Date: Tue, 5 Oct 2010 21:46:55 +0200 (MEST)
In-Reply-To: <AANLkTinMSh7VdfSw1CwhAvBJXv9YW3KYfhtv2QU6LKcp@mail.gmail.com> from "Phillip Hallam-Baker" at Oct 5, 10 12:56:49 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: pkix@ietf.org, DPKemp@missi.ncsc.mil, dnsop@ietf.org, tls@ietf.org, saag@ietf.org
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2010 19:46:04 -0000

Phillip Hallam-Baker wrote:
> 
> David P. Kemp wrote:
> >
> > For the DNS/PKI case, if A is an IP address for a dnsname and B is a
> > public key for a dnsname, then it is necessary to attack the sources of
> > A and B in order to successfully spoof a named server.  If A and B come
> > from the same system (e.g., DNS) it is necessary to attack only that
> > system.  If they come from different systems (DNS and PKI) then it is
> > necessary to attack both.  Attacking only one may cause an availability
> > failure, but not an integrity failure.
>
> When I originally looked at this scheme I thought that it was intended to
> reduce the attack surface in the manner you describe.
> 
> Clearly if you have two controls, A and B and BOTH must be compromised, the
> system is less likely to be compromised than either A or B.


The DNS admin that controls A can always get a perfectly valid
certificate B issued and successfully impersonate all services
offered on servers in his DNS domain.  Because of this characteristic 
of the TLS PKI, it doesn't matter how much scrutiny the CAs apply,
if you can not trust the DNS admin, you loose.

Requiring the involvement of a pre-trusted commercial CA makes
it less attractive to DNS admins to abuse their position and
harder for attackers that manage to modify DNS records of
DNSSEC signed zones to impersonate servers in that DNS zone.
Obtaining CA-signed server certs may require "official procurement",
so the issuance of the server certs goes on record at the issuing CA
and the domain owners procurement.  This could serve as a deterrent
for outsourced DNS services or unhappy DNS admins.


> 
> But the design approach taken in the Hoffman et. al. proposal is that
> publication of a DNSSEC assurance for a cert disables verification on the
> PKIX chain unless the 'preferences' flag is set. This flag will be buried in
> a base64 encoded sub-field encoding.

What is the alternative?

I'm constantly hearing some folks that want to obtain DNSname-constrained
organizational CA-certs signed under one of the pre-configured trust anchors
so that their (DNS) admin can issue server certs without involvement
of commercial CAs.  Such CA-certs will probably sell at a significant
premium.

Should the IETF really define TLS technology in a fashion where
everyone will have to buy out of slavery from a commercial CA oligopoly
at a significant premium for every DNS domain one operates?

It is a "trade-off", to hold the whole world hostage to the CA oligopoly
in order to keep the initial investment (the "Coasean floor"[*]) high
for only one specific impersonation attack, but I'm not convinced that
this particular approach is the the best solution or the only solution
and that the benefit is worth the cost.  I could imagine that it
appeals to top-level management, because they do not like to worry
about outsourcing stuff (like DNS administration) or worry about
making employees (like DNS admins) unhappy.


-Martin

[*] There was an article about "Coasean floor" in Bruce Schneiers
Dec-2008 Cryptogram http://www.schneier.com/crypto-gram-0812.html#7