[Trans] How to make use of DNSSEC + TRANS
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 20 May 2014 15:09 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAD001A00E9 for <trans@ietfa.amsl.com>; Tue, 20 May 2014 08:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tJxDE9DatVmp for <trans@ietfa.amsl.com>; Tue, 20 May 2014 08:09:17 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA8331A0182 for <trans@ietf.org>; Tue, 20 May 2014 08:09:15 -0700 (PDT)
Received: by mail-wi0-f180.google.com with SMTP id hi2so1147783wib.1 for <trans@ietf.org>; Tue, 20 May 2014 08:09:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=+47MP6nV7kecTlM2P9/zZCOm7CZkgMN6Z8/s5FyJ8Mc=; b=k6ICF5mpcwdcB0wZGPVAsqG421HpJRgd5623y+3LhIXQiXpgE4cENL9+AAESvYv8Rq EFQqFn7cUB3oTa0OYBYSh8vvoQfkQd0m0b/v8fuFG2sqsr8zzGosfPBn3ajH1tQlox24 nBAWNuZW+TMEpLKZM7kDl59kEWg8MC9ry4p6zOPyoiW//rSj6S3NdonhzQAHAJn2cTuu gbPif34rcKs/FJ0pBJLIELXwl4fwbUI8ivEWCErJPNIn0J7xmflmKzLjI1EWVtOD2hPj 93wmrOAlZy4MCd0TR8y+GCOUtbtWLJXEyq0FQAuBnWvw7pA2hhGgHEP5KZTxjgS4jegS mCuA==
MIME-Version: 1.0
X-Received: by 10.180.13.139 with SMTP id h11mr4725236wic.34.1400598553742; Tue, 20 May 2014 08:09:13 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.194.157.9 with HTTP; Tue, 20 May 2014 08:09:13 -0700 (PDT)
Date: Tue, 20 May 2014 11:09:13 -0400
X-Google-Sender-Auth: BK-vaPEuFRDp82cZrh_BCkCmYxg
Message-ID: <CAMm+LwiR_41LoygdGORe6otFrqYjRkDVbQqOzigc4ooJWvpkSA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/6l8ZN-5-zY0-0agjZeMLmTzN9kw
X-Mailman-Approved-At: Tue, 20 May 2014 11:59:39 -0700
Subject: [Trans] How to make use of DNSSEC + TRANS
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2014 15:09:22 -0000
I started this discussion on the Apps list but the technology that would make it work is TRANS so I thought I would raise it here as well. One of the big problems with DNS is that I don't buy a DNS name, I can only rent it. And that means that names that are DNS bound can always be reassigned in the future. Which is one of the reasons why HTTP urls are unsatisfactory. Larry Masinter has of course raised this sort of concern before and proposed dated URLs. But this morning a different approach to the problem occurred to me: Lets take a URL at a web site and imagine I download a page on 1st Jan 2010: http://www.cnn.com/whatever.html Now what if I wanted to connect up today to the same party that I connected to last time. This is not the same as the URN or the dated URL problem. I want to connect up to the same entity regardless of whom ICANN happen to sell the domain name to next. How about one of the following: http://www.cnn.com.2010/whatever.html http://www.cnn.com.1.2010/whatever.html http://www.cnn.com.1.1.2010/whatever.html DNS labels are not allowed to be all numbers but the DNS protocol works for them. In fact they seem to work with my existing software which was not a design goal but would be cool. Now resolving such names would of course require a new infrastructure, quite possibly a subscription infrastructure that would track the changing ownership of the names over time. And this infrastructure would probably involve Certificate Transparency like services and DNSSEC. But we could use this to provide persistence for Web content and for Web services which would be incredibly cool. We can also apply the same idea to email addresses: phill@hallambaker.com could be anyone. phill@hallambaker.com.16.5.2014 is uniquely my account. So the infrastructure that would be required here would be 1) A set of trans notary logs that people could register their DNSSEC KSKs in. 2) A set of DNS servers that accepted DNS zone updates for dated zones from the keyholders of the registered keys. The practical effect would be that once a name was registered and the key enrolled in the log, the holder of the key can then maintain the claim to the dated zone for as long as they hold the key. Resolution will continue to function as long as the keyholder provides updates. One of the uses for this type of technology would be in cyber conflict situations where we want to make use of a naming infrastructure that does not introduce a possible point of compromise.
- [Trans] How to make use of DNSSEC + TRANS Phillip Hallam-Baker