Re: [Trans] DNSSEC also needs CT

Stephen Kent <kent@bbn.com> Thu, 22 May 2014 17:21 UTC

Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8C1B1A0226 for <trans@ietfa.amsl.com>; Thu, 22 May 2014 10:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YnrCBp2p5io2 for <trans@ietfa.amsl.com>; Thu, 22 May 2014 10:21:48 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39FD21A0219 for <trans@ietf.org>; Thu, 22 May 2014 10:21:48 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:57420) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WnWgm-000BBi-TO for trans@ietf.org; Thu, 22 May 2014 13:21:56 -0400
Message-ID: <537E3229.4070402@bbn.com>
Date: Thu, 22 May 2014 13:21:45 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: trans@ietf.org
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com>
In-Reply-To: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/Q6mcEHJuKYYgu4DNFbv6dvKMUoI
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2014 17:21:50 -0000

Nico,
> DNSSEC is a PKI [of sorts; please, no need to pick nits about that].
agreed.
> It stands to reason that DNSSEC should have similar trust problems as
> PKIX.  I believe it does indeed.
PKIX, per se, does not have the trust problems that seem to motivate
CT; the Web PKI does. That PKI has always had a serious problem because
any TA can issue a cert for any Subject, irrespective of the Subject name.
because DNSSEC intrinsically incorporate the equivalent of PKIX Name
Constraints, it does not suffer from that specific problem. That's not to
say that mis-issuance is not possible in DNSSEC, but rather that its
effects are more limited.
> It follows that things like CT that we're applying to PKIX should be
> applied to DNSSEC as well, where possible.
maybe.
> I don't see any reason why CT couldn't be extended to DNSSEC.  IMO, it
> should be done.
I'll defer to DNS experts on that.

Steve