Re: [websec] Suggestions for Fixing PKI

Adam Langley <agl@google.com> Mon, 20 April 2015 18:43 UTC

Return-Path: <agl@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B72E61B2CA2 for <websec@ietfa.amsl.com>; Mon, 20 Apr 2015 11:43:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THIPCojs38U0 for <websec@ietfa.amsl.com>; Mon, 20 Apr 2015 11:43:10 -0700 (PDT)
Received: from mail-qc0-x229.google.com (mail-qc0-x229.google.com [IPv6:2607:f8b0:400d:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBDA11A1A4C for <websec@ietf.org>; Mon, 20 Apr 2015 11:43:09 -0700 (PDT)
Received: by qcyk17 with SMTP id k17so63588496qcy.1 for <websec@ietf.org>; Mon, 20 Apr 2015 11:43:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=zAmMYRLmMGXG+Oe7CfR1sDOXHLeWFZY3tC/b1q2q23U=; b=Hbav0qHVr7OWHhV6JQjbHx6wLsfG3x2tGRCpUyVahzFEUuy0dlFK6pl/vAbrRQ6r3F SgYsvyH6sfxf72SFTYl/4wyWUMYiK7NWaVwhDxcTCvFeDmVPjDhodza/ctLUSwU3G03d MuzLIECaa2g/Ik6AiRYgn9SNfDPkfRNNFpqkm+ANdGx/kCPNm9tGoMhy0qP4xYwPWeNE e7BR2C75115w2bdkgOdBkTm4Pc6KeXnzvQ7oVTLKViJt8Oe2c59e237ka9ibDo2Xv2+Z Cjqhm6U80ZRqNBQKLqxAGrbkVaXVlOnRAhP9hp5/g+hYsEvL+TBr9JBkFL5vGlU9LYOB oYjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=zAmMYRLmMGXG+Oe7CfR1sDOXHLeWFZY3tC/b1q2q23U=; b=lSBwqo3R8bN+f6MhNy/iM3tC/1K0J33BBQ4HsxPVb5Sq6Gcm1hT+zgmZtevpas6S1l S8Po8Lpu2g/6FWviLAF6icKKdVBtThT/OQTXd1rOFhlOt505nT63EPtN6Q4I8iK0zFEu q8UfT3/1r4WAwifM2y1cdOMM5rm80NSlsWWJLkkjoQnPEzBb+WzQSxEm1zyTK2lQqJmL EQeHgxIBKs16tZw5TfWfoECMj2o9+j2PPUHc1WjEI/fCjlb/WsFI0uXplBm7c0ZHqm6Q wcu0eUA5nsw6pC2w0ptGgtA99/+vcWPux5bcI/Xg9/irAED4wH3XvN+dy5nXSkVQ1Hp8 rRgw==
X-Gm-Message-State: ALoCoQkXLe1U0sAXAzqJ53B8YDMVXpD5ut3aMDnFjG5AzMP9xlRP5TIkowVPhwU8U1QgJFZ2viDB
X-Received: by 10.55.31.5 with SMTP id f5mr31148670qkf.42.1429555389137; Mon, 20 Apr 2015 11:43:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.130.69 with HTTP; Mon, 20 Apr 2015 11:42:48 -0700 (PDT)
In-Reply-To: <5535311F.6020103@domblogger.net>
References: <5535311F.6020103@domblogger.net>
From: Adam Langley <agl@google.com>
Date: Mon, 20 Apr 2015 11:42:48 -0700
Message-ID: <CAL9PXLxg5XEqorvxD3r05Y36gjk-rPu8Ggt4Z7SeDK9eP-RpTw@mail.gmail.com>
To: Alice Wonder <alice@domblogger.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/3myNoYZvnN1mpCeX7-1UuxTmpco>
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Suggestions for Fixing PKI
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2015 18:43:10 -0000

On Mon, Apr 20, 2015 at 10:02 AM, Alice Wonder <alice@domblogger.net> wrote:
> For each valid certificate, the DNS server will respond as an authoritative
> DNS to a request for a TXT record of the serial number. For example:
>
>     dig TXT d3we74ldqw1190.example.pki. +short
>
> would then get the rdata for that certificate, with a record that can be
> DNSSEC validated, if the certificate is valid.

We experimented with this in Chrome, although the TXT record was
planned to contain something similar to a signed, OCSP response.

We found that ~3–4% of users couldn't lookup TXT records. That rather
sunk it since it would need to be hard-fail.


Cheers

AGL