[Cryptography] Certificates and PKI
Nico Williams
nico at cryptonector.com
Tue Dec 23 15:36:03 EST 2014
On Tue, Dec 23, 2014 at 06:42:00PM +0000, Viktor Dukhovni wrote:
> On Tue, Dec 23, 2014 at 05:55:57PM +0000, Ben Laurie wrote:
> > > Ben, there are various obstacles to widespread use of DANE today,
> > > I mentioned most of them, but being less secure for DV than a CA
> > > is *not* one of them. On the contrary, DV by a CA is strictly
> > > weaker, since control of registration or ability to make DNS changes
> > > gets you a DV cert.
> >
> > Totally agreed! My point is just that DANE does not fix one of the
> > underlying problems, namely that we cannot trust the entities that
> > control the systems that validate our keys. CT is intended to help
> > mitigate that problem for PKIX, and if we can solve the deployment
> > problems for DANE we will need something like CT to mitigate it for
> > DNSSEC.
DNSSEC/DANE puts registries into the same position as a
properly-constrained CA (something that doesn't exist).
CT is more than just a mitigation against lack of name constraints.
It's applicable to any kind of PKI. DNSSEC is a kind of PKI. CT should
be applicable to DNSSEC.
> Nico will cheer loudly if you also design a usable CT for DNSSEC,
> that augments DS records with CT evidence. Which means that CT
> logs now expose all secure delegations. Getting it deployed is
> of course an uphill battle.
I'm already practicing the cheer. I'm not much of a gymnast, but I'll
even wave around some pom-poms if it'll help.
> Yes, I think we're in fact much more in agreement than appears at
> first glance:
>
> * DANE is a better DV, and most domains are and *will be*
> protected by DV not EV (EV with CT for high-value, DANE DV
> for large-scale).
>
> * CT for DNSSEC is worth exploring, will take time, and much
> evangelism to deploy.
>
> * Sure the 0.1% of domains that use EV are "important" to
> consumers, and are major targets of "phishing", ... so EV is
> not "solved" by DANE. (Though many of us feel that ultimately
> the solution to phishing should not be any kind of certificates,
> but that other thread is bogged down).
To the extent that browsers come with pre-loaded "important" site pins,
why do we need EV? But whatever, and DANE is orthogonal to that.
> * DANE is not going to displace EV, and presumably the list of
> EV CAs is smaller, and CT may keep them honest.
>
> * So, some day, it would be nice to see (CA-based) DV go away
> to be replaced by DANE, with any CAs that remain doing just EV.
Yes.
> * Which means that Let's Encrypt is a useful multi-year stop-gap,
> and with luck ultimately goes away.
It's a lower barrier to entry for small players.
> Related to this, is a hope that some day we'll have additional
> transport options along the lines of "MinimalT" that yield security
> and make source address forgery difficult, while having the latency
> of UDP rather than TCP (for repeat visits). Then DNS could run
> over such a transport and provide some confidentiality too, provided
> of course one trusts the peer to not disclose query logs to
> adversaries.
This.
Nico
--
More information about the cryptography
mailing list