Re: [Trans] DNSSEC also needs CT

Ben Laurie <benl@google.com> Sun, 11 May 2014 21:32 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 843B41A0368 for <trans@ietfa.amsl.com>; Sun, 11 May 2014 14:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.029
X-Spam-Level:
X-Spam-Status: No, score=-2.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iC7dRh43T6Uq for <trans@ietfa.amsl.com>; Sun, 11 May 2014 14:32:54 -0700 (PDT)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id F14061A0366 for <trans@ietf.org>; Sun, 11 May 2014 14:32:53 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id lg15so7696945vcb.7 for <trans@ietf.org>; Sun, 11 May 2014 14:32:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QFcaYSI4YmaOlZm5I8fUSEmaHnl4xlVmdGfZ0/CJlg8=; b=XI90QVEzlqPdBnWZQgYbcukJixRKMDJR5jT897K10f9x7ZgdZDzYM/GtuvjTfLI5gk IPwCMtlKoowwAoiNjNLSmf8/KP5yAroo+/Ku/gqWu0QoPjqhy9hfMY/YcEsTuEXOWLBn 3PRhxMohC3tD+E8XrPtcBBKOd+awnn/iUgeJqdkIU7SxnXSwPesWyX71C+qjR03fD1+K RdZ8uy0rowBP5OAFU2xZUbNxLP1QVnYYmrbbuyhc2hx+WkjsZ+pomuKCeCjgwjCjkIa9 rlSkrNZlGt/Vl3pOCymmOVT5bvEBkEivtf7CIiT4vOgbvpBt6GH7FzeoZio5gWJxhXTU egXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QFcaYSI4YmaOlZm5I8fUSEmaHnl4xlVmdGfZ0/CJlg8=; b=MpvB50O2Nka1bNi/Nvsa0wIoy0HcDqsc7eSd7tkiO2o2/Ln5+gK2dwwDcpAckYawBw F4V3/P84mMncF5muPpili8W5jhDSeHrefrcQscowjDM4OhmJOT74nsKFZyFZyKQtN0Cj 2nKQWbl/zKvJgeQtCTip/wgfXSFhqGpGnBTWuodpOK+gilZgO+WoBU2aqRQ7FCi6/fK5 8FxST+CbAcVVY6/oDLlaqGLU+ejndtscqYFZ2GPT/kst0Nihtr2GHrMiyC7qRduiT5v7 xOfIg7unuGO89ypkgdrTOBZrJtbLHDm2BkFBEKqWLqrIYLa73F0NJtUP2kal6QxbDmPr Ko2Q==
X-Gm-Message-State: ALoCoQn2ZWhpSHfI6TXNYmRdqfH6DNLBx9gzvwYSMLGYyxB0y/3bjRBZ+HF8AUxQa/O9D3XAm2qz
MIME-Version: 1.0
X-Received: by 10.220.163.3 with SMTP id y3mr19532250vcx.7.1399843967897; Sun, 11 May 2014 14:32:47 -0700 (PDT)
Received: by 10.52.252.97 with HTTP; Sun, 11 May 2014 14:32:47 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca>
Date: Sun, 11 May 2014 22:32:47 +0100
Message-ID: <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary=001a1133da6672b24104f9269260
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/Xs1xYAL95N-RDGhsWqbQRJCeYtA
Cc: "trans@ietf.org" <trans@ietf.org>, Warren Kumari <warren@kumari.net>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 May 2014 21:32:56 -0000

On 10 May 2014 22:31, Paul Wouters <paul@nohats.ca> wrote:

> On Sat, 10 May 2014, Warren Kumari wrote:
>
>  On Fri, May 9, 2014 at 7:29 PM, Nico Williams <nico@cryptonector.com>
>> wrote:
>>
>>> On Fri, May 9, 2014 at 6:12 PM, Phillip Hallam-Baker <hallam@gmail.com>
>>> wrote:
>>>
>>>> The simplest way to align things is to simply have a certificate
>>>> issued for the DNSSEC zone KSK and plop that in the log as normal.
>>>>
>>>
>>> Sure, each zone acts as a CA for its children.  That works, I think.
>>>
>>
> The problem with that approach is that it does not make DNSSEC distinct
> from the existing CA PKI. It will also not remove the cost factor of
> getting a DNSSEC "certificate" from a "certified" CABforum member.


I think you're reading too much into "acts as a CA" ... it is a matter of
fact that the parent zone signs for its children.


>  I have previously had some discussions about including DNSSEC / DANE /
>> self signed certs -- one of the objections / concerns was the threat
>> of someone DoSing the logs by making up data (there is a cost to a CA
>> cert, but I can create an infinite number of TLSA records or self
>> signed certs).
>>
>
> Cost should IMHO not become a verification factor. That's the whole
> reason https hasn't been universally deployed to begin with. We should
> not make the same mistake with DNSSEC.
>
>
>  The main incentive (that I can see) to DoS the logs would be for the
>> lolz[0], and so (IMO) the protection does not need to be very strong -
>> having someone have to solve a captcha or make a small payment (could
>> become a donation) would be enough.
>>
>
> Or just say that anyone who puts in more than X amount of DNSSEC CT
> entries underneath themselves must run a public CT node themselves. So
> if nohats.ca want to get more then X entries, or one of their
> subzones/customers wants more than X entries, either they or their
> subzone/customer will have to run a fully functional CT node. And if
> the node goes down, their new entries will be refused.


Yes, exactly. +1


>
>
> Paul
>
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>



-- 
Certificate Transparency is hiring! Let me know if you're interested.