Re: [Trans] DNSSEC also needs CT
Nico Williams <nico@cryptonector.com> Tue, 13 May 2014 15:12 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70F741A0124 for <trans@ietfa.amsl.com>; Tue, 13 May 2014 08:12:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyJ7Z4uZRTPr for <trans@ietfa.amsl.com>; Tue, 13 May 2014 08:12:18 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 74E2C1A0125 for <trans@ietf.org>; Tue, 13 May 2014 08:11:39 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTP id 1660A2007F008 for <trans@ietf.org>; Tue, 13 May 2014 08:11:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=g48Y6LRCtThv6aMbKR++ gMsxTes=; b=ibrT3uKFllhqDJHSbxxzotzJHWMrggbnekRvGxtmIBsj9zY8LbgX H9lNg2TXWJTUFoRW6YVnhe16uBv92GMJWUn9qebls6mkqVixkxBc0/LcJqQqnOit Va5zRtF5zyyW+iqh081bzW2+7Rm4tClVV7aCvfN+CEhyxXGEySh6u8o=
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTPSA id BF8212007F003 for <trans@ietf.org>; Tue, 13 May 2014 08:11:32 -0700 (PDT)
Received: by mail-wi0-f170.google.com with SMTP id bs8so7264616wib.3 for <trans@ietf.org>; Tue, 13 May 2014 08:11:31 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.108.147 with SMTP id hk19mr21252934wib.42.1399993891648; Tue, 13 May 2014 08:11:31 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Tue, 13 May 2014 08:11:31 -0700 (PDT)
In-Reply-To: <537231FC.4010007@fifthhorseman.net>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com> <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com> <537231FC.4010007@fifthhorseman.net>
Date: Tue, 13 May 2014 10:11:31 -0500
Message-ID: <CAK3OfOi1GuwuaW42B1kpaj_HM989fJOOuGkoJsortuEqUfOJxA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/5yM3EYb-MJlWAMsAJxnpSrFPqdo
Cc: Ben Laurie <benl@google.com>, "trans@ietf.org" <trans@ietf.org>, Joseph Bonneau <jbonneau@gmail.com>, Warren Kumari <warren@kumari.net>, Paul Wouters <paul@nohats.ca>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 15:12:20 -0000
On Tue, May 13, 2014 at 9:53 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > On 05/12/2014 02:01 PM, Nico Williams wrote: >> The ones that matter most are the TLDs and the root. Those get so >> many users that they will be caught MITMing, if they do. > > I think technically what we care about is the public registries, not the > TLDs. This was my point about the public suffix list and DBOUND: that > we care about .co.uk just as much as we care about .net. > > I know that some people use the term TLD to refer to the public > registries instead of "top-level domains", but i think it's worthwhile > to be precise in this discussion. That's fair. I do tend to think of co.uk. as a TLD... for lack of a better term (is there one?), yes. You're quite right: if a zone is (has) a public registrar(s) then it should be audited w/o privacy. Whereas if it doesn't sell registrar services, then it is less important that it log names: we can assume that names below it are roughly in the same administrative domain as the zone itself. >> If evilhosting.com has lots of customers, then they'll help audit it, >> else they might not. > > If evilhosting.com is handing out subdomains to its customers and > expecting them to act as different administrative sub-zones, then > evilhosting.com effectively *is* a public registry, and as such it needs > to be auditable as well. (it also needs to be considered a public > registry for the sake of cookies and other same-origin policy things on > the web, for example, so that jbonneau.evilhosting.com can't set cookies > that would apply to dkg.evilhosting.com). Agreed. > Who is actually doing the monitoring and auditing is a separate > question, though. > > note that CT appears to differentiate between monitoring (RFC 6962 > section 5.3) and auditing (RFC 6962 section 5.4) in this way: > > Auditors make sure that SCTs are cryptographically valid against an > STH, and that one STH chains properly to another; > > Monitors make sure that the whole log itself is cryptographically > valid, looking at all the data. > > Neither of these activities describes the actual checks that would need > to happen for misissuance to be detected. As noted in section 7.2, > "interested parties" need to think about how to monitor to ensure that > items with their administrative domains are not logged by other parties. I would think that domain owners are "interested parties", and/or maybe agents they delegate to (e.g., hosting companies). I can audit the logs for my domain's parent zone. But yes, this probably needs to be covered in more detail. (Are there FOSS implementations of monitors/auditors?) > If this is neither "Monitoring" nor "Auditing" maybe we need a name for > this kind of activity, so we can discuss it more directly? how about > "misissuance review"? It seems to fall into "monitoring" given the text of the RFC. > How does she know what logs to look in for this misissuance review? Is > there a way she can do this review efficiently? I think these questions > are relevant for regular CT as well, but a DNSSEC-focused CT adds the > wrinkle of delegated zones. (maybe this isn't actually worse than X.509 > PKI with its fully-delegated intermediate CAs though?) No, it's easier! With the name contraint-free TLS PKI the domain owner has to check... every root CA. With DNSSEC, which has strict name constraints, there's only one issuer for each zone cut. Nico --
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent