[Cryptography] Certificates and PKI

[Ben Laurie]

On 22 December 2014 at 15:47, Guido Witmond <guido at witmond.nl> wrote:
> On 12/22/14 14:33, Ben Laurie wrote:
>> On 21 December 2014 at 19:19, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
>>>     * More progress needs to be made on the DNSSEC last-mile
>>>       problem,
>>
>> Indeed, this does appear to be the biggest blocker for DANE.
>>
>> But also: DANE puts registries and registrars in the roles of CA and
>> RA.
>
> I'm not sure I understand this. How would DANE put registrars into the
> role of a CA or RA?
>
> Is your concern that a registrar is able to modify each of the A, AAAA
> and TLSA-records of any entrusted domain? Either voluntarily or coerced?

Yes.

> It's up to the domain owner to monitor the registrar. Using
> decentralised tools such as the IETF's Atlas network or tor to prevent
> the registrar from detecting your monitoring and get a good overview of
> worldwide perspectives.

This is clearly a step in the right direction, though it will not help
against targeted attacks.

> If we think CAs are not a good solution, how is it the
>> registries/registrars magically are?
>
> The missing ingredient is a way for the end user to identify when a
> site's TLSA-records gets compromised.
>
> For that, each site needs to run their own CA, sign their server
> certificate with it and publish their own CA-cert in DANE.
>
> The user agent (browser) can pin the domain name and CA-cert together at
> first contact. It's Trust-on-First-use, agreed. But for that we have CT
> to provide a historic view, reducing the amount of trust at first.

OK, so DANE + pinning + CT? I'm not entirely sure about including
pinning (because of the aforementioned difficulties). However, seems
like a step in the right direction, but I still end up back where I
started:

a) (If pinning is in the picture): what is done about failures as I
originally asked?

b) How do we prevent CT from being spammed?

c) What do we do when badness is detected using this system?