Re: [Trans] DNSSEC also needs CT

Phillip Hallam-Baker <> Sun, 11 May 2014 16:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6C9BC1A0267 for <>; Sun, 11 May 2014 09:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Yqyqbj5cE_Gs for <>; Sun, 11 May 2014 09:49:51 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c00::22e]) by (Postfix) with ESMTP id 085B31A0266 for <>; Sun, 11 May 2014 09:49:50 -0700 (PDT)
Received: by with SMTP id n12so5961180wgh.29 for <>; Sun, 11 May 2014 09:49:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OQ7mnFElna7D49wamo6ldIg2FFut26aUdbIpoNVK0H4=; b=shPnGhIdwPW075fuibfU0dIjG9MGCDTRUAuNKP//JS6yVYafnfzU4Xds2erf+7r13p JpgbTI6clCY/4AUTffSUouVvGmE3YCOt26sAuk0q+OORORLpJhJ6O3VwM0w9iIyskq+p YNn/AaOwzeWB2XCq8lylSoRnj+7C6Bj9U78SbGwRGbbUPj2hjFDdN7a9UwlcgtlJ4nJH m2eZ7piyU1BXutA4IJEQZrZMAS7nhFYwuxyq5esuAiKt3TCW98+FHMbUWNiXsKzHCFX1 Gh2aVCs92kd75vrR/YShXPW5h3xu1FhZXjEEqXpluBoEoSxCT4iTswlH2rUCI/8RqHlu 2b3A==
MIME-Version: 1.0
X-Received: by with SMTP id ck17mr17829384wjb.14.1399826985006; Sun, 11 May 2014 09:49:45 -0700 (PDT)
Received: by with HTTP; Sun, 11 May 2014 09:49:44 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <>
Date: Sun, 11 May 2014 12:49:44 -0400
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Paul Wouters <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Trans] DNSSEC also needs CT
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 May 2014 16:49:52 -0000

On Sun, May 11, 2014 at 11:37 AM, Paul Wouters <> wrote:
> On Sun, 11 May 2014, Phillip Hallam-Baker wrote:
>> It is probably fair to assume that CT logs will be maintained by CAs
> That would be a non-starter for those people (let's call them the defcon
> crowd) who are looking at dnssec as a way out of the trust in a handful
> of CAs or TLD operators.

As I went on to say:

"It is probably fair to assume that CT logs will be maintained by CAs
but it would be entirely practical for an open service to be
established. The criteria are rather simpler to enforce than
certificate issue."

I don't see the CAs running CT logs as being necessarily exclusive.

In particular, running a CT log does not require audit which is the
difficult part of being a CA. The whole point of transparency is that
the operation of the log does not need a trusted auditor with special
access. Anyone can audit the operation of the log.

Now what the non-CA application does call for is thinking through a
lot more of the operation of the logs and how they are held

>> The main question is what purpose a CT log for DNSSEC would serve. For
>> me the value would be to protect my domain against having it stolen by
> Or any of the parental zones above your own zone.

True and that concern has already been an issue with zones such as which was grabbed back when the value of the zone was realized.