[Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs CT
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 13 May 2014 14:54 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78FA91A00E8 for <trans@ietfa.amsl.com>; Tue, 13 May 2014 07:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 8.1
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_WS_SURBL=10] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivKL7NEtJm_x for <trans@ietfa.amsl.com>; Tue, 13 May 2014 07:54:08 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id BCE0A1A00DE for <trans@ietf.org>; Tue, 13 May 2014 07:54:08 -0700 (PDT)
Received: from [10.70.10.127] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 116B2F985; Tue, 13 May 2014 10:53:57 -0400 (EDT)
Message-ID: <537231FC.4010007@fifthhorseman.net>
Date: Tue, 13 May 2014 10:53:48 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.5.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>, Joseph Bonneau <jbonneau@gmail.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com> <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com>
In-Reply-To: <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Qc4cPhr6xTWICoj1Vu2mKwH8wEDmqBNu2"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/alxurJFdF5U1qF3BuBZm6Mhgl1E
Cc: Ben Laurie <benl@google.com>, "trans@ietf.org" <trans@ietf.org>, Paul Wouters <paul@nohats.ca>, Warren Kumari <warren@kumari.net>
Subject: [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 14:54:10 -0000
On 05/12/2014 02:01 PM, Nico Williams wrote: > On Mon, May 12, 2014 at 12:54 PM, Joseph Bonneau <jbonneau@gmail.com> wrote: >>> Clients (lazily perhaps). The public. Domain owners. Registrars. >> >> Certainly possible, but I wonder how much this will happen in a world of >> thousands of DNSSEC-CT logs existing for various domains. Some of them > > The ones that matter most are the TLDs and the root. Those get so > many users that they will be caught MITMing, if they do. I think technically what we care about is the public registries, not the TLDs. This was my point about the public suffix list and DBOUND: that we care about .co.uk just as much as we care about .net. I know that some people use the term TLD to refer to the public registries instead of "top-level domains", but i think it's worthwhile to be precise in this discussion. > If evilhosting.com has lots of customers, then they'll help audit it, > else they might not. If evilhosting.com is handing out subdomains to its customers and expecting them to act as different administrative sub-zones, then evilhosting.com effectively *is* a public registry, and as such it needs to be auditable as well. (it also needs to be considered a public registry for the sake of cookies and other same-origin policy things on the web, for example, so that jbonneau.evilhosting.com can't set cookies that would apply to dkg.evilhosting.com). > At any rate, the first-order problem in a > hierarchical public key system is keeping the roots and intermediates > closest to the roots honest. agreed that the primary concern is transparency, monitoring, and auditability of accumulated centralized control. Who is actually doing the monitoring and auditing is a separate question, though. note that CT appears to differentiate between monitoring (RFC 6962 section 5.3) and auditing (RFC 6962 section 5.4) in this way: Auditors make sure that SCTs are cryptographically valid against an STH, and that one STH chains properly to another; Monitors make sure that the whole log itself is cryptographically valid, looking at all the data. Neither of these activities describes the actual checks that would need to happen for misissuance to be detected. As noted in section 7.2, "interested parties" need to think about how to monitor to ensure that items with their administrative domains are not logged by other parties. If this is neither "Monitoring" nor "Auditing" maybe we need a name for this kind of activity, so we can discuss it more directly? how about "misissuance review"? So if Alice registers example.co.uk, she wants to do misissuance review for that zone. But in a DNSSEC context, she needs to do misissuance review of the parent zones as well. That is, she wants to ensure that .uk is not publishing spoofed records about the .co.uk nameservers and zone signing keys (how does she know if a change in DNSSEC records at this layer is a legitimate change?). And she also wants to ensure that .co.uk is not publishing spoofed records about the example.co.uk zone. How does she know what logs to look in for this misissuance review? Is there a way she can do this review efficiently? I think these questions are relevant for regular CT as well, but a DNSSEC-focused CT adds the wrinkle of delegated zones. (maybe this isn't actually worse than X.509 PKI with its fully-delegated intermediate CAs though?) --dkg
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent