Re: [Trans] DNSSEC also needs CT

Ben Laurie <benl@google.com> Fri, 23 May 2014 13:00 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7C4B1A046D for <trans@ietfa.amsl.com>; Fri, 23 May 2014 06:00:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.029
X-Spam-Level:
X-Spam-Status: No, score=-2.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ToxL89yss8SR for <trans@ietfa.amsl.com>; Fri, 23 May 2014 06:00:10 -0700 (PDT)
Received: from mail-vc0-x231.google.com (mail-vc0-x231.google.com [IPv6:2607:f8b0:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28A701A046B for <trans@ietf.org>; Fri, 23 May 2014 06:00:10 -0700 (PDT)
Received: by mail-vc0-f177.google.com with SMTP id hq11so384364vcb.22 for <trans@ietf.org>; Fri, 23 May 2014 06:00:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=P+VQxHFwT046YbLQXqgafh8DfivCVTIqQHjhfWRFzLY=; b=QW4jgpuMK841PbgIS4DSsjngunOA2PfWuZv+12c+MwD/dgpc2gDiWXIZtUDZiBcQK/ sg80DKClQh2dTQeaN0C4fSd61nyyRnGIm1UN7xmUSMCTlkv6AmSbnVUmtFKOPC1i+n4W 3UjlSC//Yit1+Z1Th6TEbdMSQtGmLmgNdu1j0+7voa36GifW+ZsSWX3xLY2GvSfnUHwQ /MvnXdWpMCNQ564u7NO2nDu/mVnKFbXH4qJrVldy8acl2zSgRwd3fqIosmO0lAXcSDw8 oHodUjpNWvvbSdLdaQZqYmy1Fpsn34uVTcChASseetPw90iHODP0qZJoZGJhwBHbxgHG 5HcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=P+VQxHFwT046YbLQXqgafh8DfivCVTIqQHjhfWRFzLY=; b=aIM0L/NNZhZKjty/9pKBynS1d3Mf/NR6h4hdouBqHBJftSTgGmhiWUv+FkQEnaGoCL +gk8OpXlIA2UomiN0IK7BFg8GKDzUOo3BR8T1pxvofNgb5dEjrwSO2D+bGSToo16JGha q/f33a56QKatFM9GMOhm1zvmmPXRpG+iJ347NtYWftpV+/9Mu0wIZf+z/8cS1Ykqdtwt 3m+3YoTqMzDrx9LgOJZIBHgjmNU0lZvg1MtcXz2szCji6WG3zRHMfpsrnxoC+X/Hfmyy n2rFfeU2KlYLSZogznFdpNvHF2rCHkLMrh5iIbBuJFN+k0f3XE+QIm1p/LkOmnz1RbQD NSqg==
X-Gm-Message-State: ALoCoQnCUXkWKDSeV/E3vMvBedwBJ5YOEmrb1yz95pmlMVkWoRu875fdGM8CBlSIOqDl3St+vZ6X
MIME-Version: 1.0
X-Received: by 10.52.164.237 with SMTP id yt13mr3382668vdb.18.1400850007829; Fri, 23 May 2014 06:00:07 -0700 (PDT)
Received: by 10.52.107.132 with HTTP; Fri, 23 May 2014 06:00:07 -0700 (PDT)
In-Reply-To: <1C7BC1B3-B792-43F4-BC8F-C75FC8965B6E@verisign.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <537E3229.4070402@bbn.com> <1C7BC1B3-B792-43F4-BC8F-C75FC8965B6E@verisign.com>
Date: Fri, 23 May 2014 14:00:07 +0100
Message-ID: <CABrd9STR=3zpau+hByvW0Sqd3gY_cmUgjn3D7_3yXjaobG7oeg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: "Osterweil, Eric" <eosterweil@verisign.com>
Content-Type: multipart/alternative; boundary=001a11c2c1d219cc4704fa10cfd5
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/0Ckwa6rrZnNez5cbvU-jQxMce1w
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2014 13:00:14 -0000

On 22 May 2014 18:32, Osterweil, Eric <eosterweil@verisign.com> wrote:

>
> On May 22, 2014, at 1:21 PM, Stephen Kent <kent@bbn.com>
>  wrote:
>
> > Nico,
> >> DNSSEC is a PKI [of sorts; please, no need to pick nits about that].
> > agreed.
> >> It stands to reason that DNSSEC should have similar trust problems as
> >> PKIX.  I believe it does indeed.
> > PKIX, per se, does not have the trust problems that seem to motivate
> > CT; the Web PKI does. That PKI has always had a serious problem because
> > any TA can issue a cert for any Subject, irrespective of the Subject
> name.
> > because DNSSEC intrinsically incorporate the equivalent of PKIX Name
> > Constraints, it does not suffer from that specific problem. That's not to
> > say that mis-issuance is not possible in DNSSEC, but rather that its
> > effects are more limited.
> >> It follows that things like CT that we're applying to PKIX should be
> >> applied to DNSSEC as well, where possible.
> > maybe.
> >> I don't see any reason why CT couldn't be extended to DNSSEC.  IMO, it
> >> should be done.
> > I'll defer to DNS experts on that.
>
> Without implying an presumption of expertise on DNS, I would argue that
> DNSSEC avoids the problems CT seems to be trying to solve by coupling its
> key learning (and verification) methods to the hierarchical namespace.  As
> Steve said (I believe) PKIX != Web PKI, and the problems addressed by CT
> seem to be focused more on the latter.  I don't think there is a key
> learning/verification dilemma in DNSSEC that CT is appropriate for.
>

I disagree: the purpose of CT is to ensure that those who can mess with the
signing chain are monitored for correct behaviour. How people get into the
signing chain does not alter the need to monitor their correct behaviour.



>
> Eric
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>
>


-- 
Certificate Transparency is hiring! Let me know if you're interested.