[Cryptography] Certificates and PKI

Nico Williams nico at cryptonector.com
Tue Dec 23 15:36:03 EST 2014

On Tue, Dec 23, 2014 at 06:42:00PM +0000, Viktor Dukhovni wrote:
> On Tue, Dec 23, 2014 at 05:55:57PM +0000, Ben Laurie wrote:
> > > Ben, there are various obstacles to widespread use of DANE today,
> > > I mentioned most of them, but being less secure for DV than a CA
> > > is *not* one of them.  On the contrary, DV by a CA is strictly
> > > weaker, since control of registration or ability to make DNS changes
> > > gets you a DV cert.
> > 
> > Totally agreed! My point is just that DANE does not fix one of the
> > underlying problems, namely that we cannot trust the entities that
> > control the systems that validate our keys. CT is intended to help
> > mitigate that problem for PKIX, and if we can solve the deployment
> > problems for DANE we will need something like CT to mitigate it for

DNSSEC/DANE puts registries into the same position as a
properly-constrained CA (something that doesn't exist).

CT is more than just a mitigation against lack of name constraints.
It's applicable to any kind of PKI.  DNSSEC is a kind of PKI.  CT should
be applicable to DNSSEC.

> Nico will cheer loudly if you also design a usable CT for DNSSEC,
> that augments DS records with CT evidence.  Which means that CT
> logs now expose all secure delegations.  Getting it deployed is
> of course an uphill battle.

I'm already practicing the cheer.  I'm not much of a gymnast, but I'll
even wave around some pom-poms if it'll help.

> Yes, I think we're in fact much more in agreement than appears at
> first glance:
>     * DANE is a better DV, and most domains are and *will be*
>       protected by DV not EV (EV with CT for high-value, DANE DV
>       for large-scale).
>     * CT for DNSSEC is worth exploring, will take time, and much
>       evangelism to deploy.
>     * Sure the 0.1% of domains that use EV are "important" to
>       consumers, and are major targets of "phishing", ... so EV is
>       not "solved" by DANE.  (Though many of us feel that ultimately
>       the solution to phishing should not be any kind of certificates,
>       but that other thread is bogged down).

To the extent that browsers come with pre-loaded "important" site pins,
why do we need EV?  But whatever, and DANE is orthogonal to that.

>     * DANE is not going to displace EV, and presumably the list of
>       EV CAs is smaller, and CT may keep them honest.
>     * So, some day, it would be nice to see (CA-based) DV go away
>       to be replaced by DANE, with any CAs that remain doing just EV.


>     * Which means that Let's Encrypt is a useful multi-year stop-gap,
>       and with luck ultimately goes away.

It's a lower barrier to entry for small players.

> Related to this, is a hope that some day we'll have additional
> transport options along the lines of "MinimalT" that yield security
> and make source address forgery difficult, while having the latency
> of UDP rather than TCP (for repeat visits).  Then DNS could run
> over such a transport and provide some confidentiality too, provided
> of course one trusts the peer to not disclose query logs to
> adversaries.



More information about the cryptography mailing list