[Cryptography] Certificates and PKI

Viktor Dukhovni cryptography at dukhovni.org
Tue Dec 23 13:42:00 EST 2014

On Tue, Dec 23, 2014 at 05:55:57PM +0000, Ben Laurie wrote:

> > Ben, there are various obstacles to widespread use of DANE today,
> > I mentioned most of them, but being less secure for DV than a CA
> > is *not* one of them.  On the contrary, DV by a CA is strictly
> > weaker, since control of registration or ability to make DNS changes
> > gets you a DV cert.
> Totally agreed! My point is just that DANE does not fix one of the
> underlying problems, namely that we cannot trust the entities that
> control the systems that validate our keys. CT is intended to help
> mitigate that problem for PKIX, and if we can solve the deployment
> problems for DANE we will need something like CT to mitigate it for

Nico will cheer loudly if you also design a usable CT for DNSSEC,
that augments DS records with CT evidence.  Which means that CT
logs now expose all secure delegations.  Getting it deployed is
of course an uphill battle.

> > The new Let's Encrypt initiative (an example soon to be CA) will
> > I fear not take into account the DNSSEC status of domains.
> Why do you think it will not? I suspect it should. Are you thinking
> about DANE or CAA or both here?

I think they should, but I've seen no evidence that they will.  My
questions about this on the acme list either went unanswered, or
I missed the answers. :-(

> > So, I think you're being a bit obstinate on this one, let's discuss
> > something more substantive.
> I have perhaps been unclear what my concerns are. I hope this clears it up.

Yes, I think we're in fact much more in agreement than appears at
first glance:

    * DANE is a better DV, and most domains are and *will be*
      protected by DV not EV (EV with CT for high-value, DANE DV
      for large-scale).

    * CT for DNSSEC is worth exploring, will take time, and much
      evangelism to deploy.

    * Sure the 0.1% of domains that use EV are "important" to
      consumers, and are major targets of "phishing", ... so EV is
      not "solved" by DANE.  (Though many of us feel that ultimately
      the solution to phishing should not be any kind of certificates,
      but that other thread is bogged down).

    * DANE is not going to displace EV, and presumably the list of
      EV CAs is smaller, and CT may keep them honest.

    * So, some day, it would be nice to see (CA-based) DV go away
      to be replaced by DANE, with any CAs that remain doing just EV.

    * Which means that Let's Encrypt is a useful multi-year stop-gap,
      and with luck ultimately goes away.

Related to this, is a hope that some day we'll have additional
transport options along the lines of "MinimalT" that yield security
and make source address forgery difficult, while having the latency
of UDP rather than TCP (for repeat visits).  Then DNS could run
over such a transport and provide some confidentiality too, provided
of course one trusts the peer to not disclose query logs to


More information about the cryptography mailing list