Re: [Trans] DNSSEC also needs CT
Nico Williams <nico@cryptonector.com> Mon, 12 May 2014 18:01 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B2901A0756 for <trans@ietfa.amsl.com>; Mon, 12 May 2014 11:01:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ej6v4HdP2EW9 for <trans@ietfa.amsl.com>; Mon, 12 May 2014 11:01:35 -0700 (PDT)
Received: from homiemail-a55.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 313FE1A0766 for <trans@ietf.org>; Mon, 12 May 2014 11:01:35 -0700 (PDT)
Received: from homiemail-a55.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a55.g.dreamhost.com (Postfix) with ESMTP id 5AEED160C for <trans@ietf.org>; Mon, 12 May 2014 11:01:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=p28MhpvpFjezL/jDutfq GJ313eU=; b=CPGwljvZoU7HvCDPv29+jTmHqYcoxW3/Ytxdi69Cy4JwNqoOz27j XjAa+Yw2sGry4BItZ0giVKel9ZHEtwZb5Mzt9xsyjQ5R8QtA2fvl+OuPqcH+0VUo ajVs8BFnIsdjy1+SCxwczzzdJJpmiSjv0IN1+bNhhamHiQbXTP63kkQ=
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a55.g.dreamhost.com (Postfix) with ESMTPSA id 03879161E for <trans@ietf.org>; Mon, 12 May 2014 11:01:28 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id m15so7325681wgh.20 for <trans@ietf.org>; Mon, 12 May 2014 11:01:27 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.119.34 with SMTP id kr2mr23109004wjb.34.1399917687791; Mon, 12 May 2014 11:01:27 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Mon, 12 May 2014 11:01:27 -0700 (PDT)
In-Reply-To: <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com>
Date: Mon, 12 May 2014 13:01:27 -0500
Message-ID: <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Joseph Bonneau <jbonneau@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/-20f6oTfyMBXvW8tDfgtDmcY5fo
Cc: Warren Kumari <warren@kumari.net>, "trans@ietf.org" <trans@ietf.org>, Paul Wouters <paul@nohats.ca>, Ben Laurie <benl@google.com>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 18:01:37 -0000
On Mon, May 12, 2014 at 12:54 PM, Joseph Bonneau <jbonneau@gmail.com> wrote: >> Clients (lazily perhaps). The public. Domain owners. Registrars. > > Certainly possible, but I wonder how much this will happen in a world of > thousands of DNSSEC-CT logs existing for various domains. Some of them The ones that matter most are the TLDs and the root. Those get so many users that they will be caught MITMing, if they do. > With CT for x.509 certs the assumption is that smaller number of logs are > run which are very important and any screwup is a BFD. I don't know if that > assumption scales to thousands of DNSSEC-CT logs. You're assuming I zones below the ones that matter audited, but I don't. I want the root ones audited -- same as with the TLS server PKI. Why would I have wanted anything else? >> Remember, com. and . cannot merely MITM foo.bar.com. com. would have >> to MITM bar.com. as well. And . would have to MITM com. too. These >> would be noticeable. > > What about a compelled creation attack (or undetected key compromise) where > malicious entries are signed by the genuine evil.com key? For example, say > evilhosting.com gives me jbonneau.evilhosting.com and I care that they only > sign my records for this domain so that nobody can MITM my site. But they > secretly agree to give the government of Elbonia a signed record for my > domain and then fail to log them properly. They can do this without any > compromise or intervention of com, right? If evilhosting.com has lots of customers, then they'll help audit it, else they might not. At any rate, the first-order problem in a hierarchical public key system is keeping the roots and intermediates closest to the roots honest. Nico --
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent