[Trans] A counter-argument (Re: DNSSEC also needs CT)

Nico Williams <nico@cryptonector.com> Sat, 10 May 2014 01:06 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 519AE1A00DD for <trans@ietfa.amsl.com>; Fri, 9 May 2014 18:06:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id iLt0Wi0MtvzF for <trans@ietfa.amsl.com>; Fri, 9 May 2014 18:06:41 -0700 (PDT)
Received: from homiemail-a54.g.dreamhost.com (sub4.mail.dreamhost.com []) by ietfa.amsl.com (Postfix) with ESMTP id 6E1421A014E for <trans@ietf.org>; Fri, 9 May 2014 18:06:39 -0700 (PDT)
Received: from homiemail-a54.g.dreamhost.com (localhost []) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTP id 100134012373F for <trans@ietf.org>; Fri, 9 May 2014 18:06:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:date:message-id:subject:from:to:content-type; s= cryptonector.com; bh=JE/68LmD0TpDVe4+ZV98q+zdXlU=; b=nP5rdG3DMdB hMXlDL67aga4TMmGwymXfgxr2H9puabijEKiHJnpRUJGSpUVffS36KELA7KTnss8 Tq7kzkdWC1JWNJ4zImT3ZK3HdcWnXv00qGiWWP2l1GKbOccJXmgAiS1O+ARLUIMr 9IpHcHsJFkZ9CUMiIpdPhn1Qfp/4ccG8=
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTPSA id B56A540123736 for <trans@ietf.org>; Fri, 9 May 2014 18:06:33 -0700 (PDT)
Received: by mail-wi0-f181.google.com with SMTP id n15so2115707wiw.14 for <trans@ietf.org>; Fri, 09 May 2014 18:06:32 -0700 (PDT)
MIME-Version: 1.0
X-Received: by with SMTP id ci6mr5493988wid.39.1399683992567; Fri, 09 May 2014 18:06:32 -0700 (PDT)
Received: by with HTTP; Fri, 9 May 2014 18:06:32 -0700 (PDT)
Date: Fri, 09 May 2014 20:06:32 -0500
Message-ID: <CAK3OfOhAftFkw_L9sYUszmAkb_SbBHtTDmvTtWbjwG_Af7OMWQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/ZOHY1_nEz_qUkQbLJMqktP_CaTk
Subject: [Trans] A counter-argument (Re: DNSSEC also needs CT)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 May 2014 01:06:42 -0000

A counter-argument would be that DNSSEC is like PKI with name
constraints done properly, and with most domains being children of
TLDs, there's really only two entities that can MITM them: the root
and the TLD registrars.

Therefore the risk of dishonest "CAs" is lower for DNSSEC than it is for PKI.

I've seen skepticism about CT along the lines of "who will pay?" and
"it's just another tax".  I don't think that should be dismissed out
of hand.  But I do think that in the long run we should do anything
that we can do and that is economical (very important, that) to make
it easier to at least catch misbehaving CAs/registrars/...  the jury
is still out as to whether CT be economical, right?