Re: [Trans] DNSSEC also needs CT

Warren Kumari <warren@kumari.net> Sat, 10 May 2014 09:39 UTC

Return-Path: <warren@kumari.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F396D1A0209 for <trans@ietfa.amsl.com>; Sat, 10 May 2014 02:39:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Mul_DgSklZM for <trans@ietfa.amsl.com>; Sat, 10 May 2014 02:39:06 -0700 (PDT)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by ietfa.amsl.com (Postfix) with ESMTP id 19A291A0208 for <trans@ietf.org>; Sat, 10 May 2014 02:39:05 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id t60so4851033wes.41 for <trans@ietf.org>; Sat, 10 May 2014 02:39:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Q/6OfjpRv+zlu0x9oXvza5CFBkKgoqtdSJAaNyeh/k4=; b=RyONXTkiN4KhqKdu9ENatulncwV7FzGUF2wGU/IIAFBBQ3kmLcF2RXbZ6INq4E50Xw 8xDRIuFj7J09YIsJFALPhcbb0FUF1pZbwz40oQBz63Dus8QM1F79nvCVvvNe/WEN53S4 1tZ6isBYPaeI32UNPgLgtB7jXq9m//y5UzsOUzDJRqnGRmnXvK5rP0zhHqN5HjQoUCff SdHS9xOu7I0yd85AMgiHicrhKkDpOvcSgnxzeu3uSEhUCci5fxky3sI9n8Y8d49GH0gz 5NA74wvqK01M92EesF/mGF1XjKiZbhfztSnvU6/nHtu1vvP69pyMeCoFYmK+/IvlP1hO 9THg==
X-Gm-Message-State: ALoCoQk/lvKUgAIqhN4qynkWOE6YzGPVqnIVsta17Dz0SKrlf7lzyih/6cfR1MQTCGiq0BlWJhZ3
MIME-Version: 1.0
X-Received: by 10.194.91.175 with SMTP id cf15mr12459558wjb.5.1399714740034; Sat, 10 May 2014 02:39:00 -0700 (PDT)
Received: by 10.194.62.70 with HTTP; Sat, 10 May 2014 02:38:59 -0700 (PDT)
In-Reply-To: <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAMm+Lwieij8Tm8V-gpE0eAfwie1dgtFL_Ga8dPkJFKJKLQDAcA@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com>
Date: Sat, 10 May 2014 05:38:59 -0400
Message-ID: <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/zY-dgRWsxBwyVH7KqPEUn4PIlDs
Cc: "trans@ietf.org" <trans@ietf.org>, Phillip Hallam-Baker <hallam@gmail.com>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 May 2014 09:39:08 -0000

On Fri, May 9, 2014 at 7:29 PM, Nico Williams <nico@cryptonector.com> wrote:
> On Fri, May 9, 2014 at 6:12 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>> The simplest way to align things is to simply have a certificate
>> issued for the DNSSEC zone KSK and plop that in the log as normal.
>
> Sure, each zone acts as a CA for its children.  That works, I think.

I have previously had some discussions about including DNSSEC / DANE /
self signed certs -- one of the objections / concerns was the threat
of someone DoSing the logs by making up data (there is a cost to a CA
cert, but I can create an infinite number of TLSA records or self
signed certs).

The main incentive (that I can see) to DoS the logs would be for the
lolz[0], and so (IMO) the protection does not need to be very strong -
having someone have to solve a captcha or make a small payment (could
become a donation) would be enough.

W
[0]: Unless you could kill off CT completely / make browsers stop
requiring it (and so allow someone to use an incorrect (misissued)
cert) I cannot see a financial incentive for anyone to do this.


> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans