Re: [Trans] DNSSEC also needs CT
Nico Williams <nico@cryptonector.com> Mon, 02 June 2014 23:14 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1414A1A00C9 for <trans@ietfa.amsl.com>; Mon, 2 Jun 2014 16:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCr8CQSL7i0s for <trans@ietfa.amsl.com>; Mon, 2 Jun 2014 16:14:57 -0700 (PDT)
Received: from homiemail-a31.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 0A5361A00AF for <trans@ietf.org>; Mon, 2 Jun 2014 16:14:57 -0700 (PDT)
Received: from homiemail-a31.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTP id 9B016202022 for <trans@ietf.org>; Mon, 2 Jun 2014 16:14:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=xveepVevWQ5fIDkXpd8G B6DB2fk=; b=aD/HFQ5A7hPkf3ZJWsbzIFR7rKIELCjb6KA1DX7HWlq1UOW3i4Hx S+45/y32hs83aKbYK+lU9eh1HHjx1kijVkLO2pm+oQdR68Fqy3IG81sd65nUZ6jk 3LQRqEuG1ZEklVJdNfze8tT1g1QqduIDa33a7fNMzQ8OVOyqZTsch8k=
Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTPSA id 48BCB202018 for <trans@ietf.org>; Mon, 2 Jun 2014 16:14:51 -0700 (PDT)
Received: by mail-wg0-f45.google.com with SMTP id m15so5787047wgh.4 for <trans@ietf.org>; Mon, 02 Jun 2014 16:14:50 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.12.135 with SMTP id y7mr26714882wib.39.1401750890056; Mon, 02 Jun 2014 16:14:50 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Mon, 2 Jun 2014 16:14:49 -0700 (PDT)
In-Reply-To: <538CB250.6080201@bbn.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <537E3229.4070402@bbn.com> <CAMm+Lwjbi5t7Efgyf4cNdh-2=DqbeSE4xgxf3TchPZBAyERwug@mail.gmail.com> <537E3E17.8000901@bbn.com> <CAK3OfOgE-0jhSfPBn+EoWw5CJx+jLU6vcKC3k=3NHGNkTDouAw@mail.gmail.com> <537E467C.7010405@bbn.com> <CAK3OfOjJKQ4f5dzb6dRZ46e2szq1mUyygm1Me+nvx2vJeC6K6g@mail.gmail.com> <538CB250.6080201@bbn.com>
Date: Mon, 02 Jun 2014 18:14:49 -0500
Message-ID: <CAK3OfOjtdh+OWMmczP80WbSPYRZdmFd6+uNE7xBO+UtYB8b7AQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/FQrceY32OQ3Oknuh5gbC68gIhUI
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2014 23:14:58 -0000
On Mon, Jun 2, 2014 at 12:20 PM, Stephen Kent <kent@bbn.com> wrote: >> On Thu, May 22, 2014 at 1:48 PM, Stephen Kent <kent@bbn.com> wrote: >> I take it you concede that lack of name constraints isn't the only >> reason to want CT. > > agreed. > >> I'll concede that CT for DNSSEC might not be a good idea. Did I ever >> say it is? I started the discussion with an inference: CT is for >> PKIs, DNSSEC is a PKI, therefore CT fits DNSSEC, discuss. > > I thought you did. I think CT for the Web PKI needs is missing an arch > doc, and absent that doc it's now clear how good CT is for that case. > This I consider it premature to suggest CT for DNSSEC si an obvious next > step, > as some have suggested. I posted today providing my take as to one aspect of the CT architecture: http://www.ietf.org/mail-archive/web/trans/current/msg00315.html As I've understood it CT is partly about CA reputation. As such CA failures [to not MITM] should be handled asynchronously. I think this is an important consideration because it speaks to when the client (and domain owners, and auditors) should do the hard work of checking the CT logs. > The experimental RFC does not provide a comprehensive problem statement, > a clear description of all of the elements of a proposed solution, an > explicit discussion of all of the assumptions that appear to underlie the > design, i.e., what must happen for CT achieve its goals, and an > analysis of what happens if some (implicit) assumptions are not satisfied. > > I'm going to develop what I see as the missing arch doc, to elicit feedback > from > the WG and the RFC authors. The WG can decide whether this is necessary, but > I > believe the exercise will, in any case, be useful. I agree that CT is missing this. That doesn't (and shouldn't) keep one from asking if CT is applicable to DNSSEC, and if so what that might look like. Hand-waving a bit, if a) CT is a keep-CAs-honest mechanism in addition to enabling domain owners to find out about erroneous certificate issuance for their domains, b) CT applies to PKI in general (not just PKI as in RFC5280), and c) DNSSEC is a PKI, then d) it's a fair inference that CT ought to apply to DNSSEC. The three conditions seem to be true. It's not a fair inference that CT ought to be applied to DNSSEC, of course. Even if CT can be applied to DNSSEC and even if it is desirable to do so for many, there are still possibly strong arguments to make against it. For example, domain owners might object to yet another "tax" on them: there's domain registrar fees, CA fees, and now log fees paid indirectly. And then auditing costs (probably outsourced). I'm sympathetic to such an argument. Add to that a proper the benefit side of a proper cost/benefit analysis... For the TLS PKI case the benefit is: - mitigates the lack of name constraints - detects MITMing CAs For DNSSEC the only benefit is the MITM detection one. Assuming that detections will be of a) errors by registrars, and b) political/legal actions that we can't do much more about than detect... is this enough value to justify the additional costs? This is a value judgement to be made by the market. Nico --
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent