[Cryptography] Certificates and PKI

Viktor Dukhovni cryptography at dukhovni.org
Sun Dec 28 10:05:00 EST 2014

On Sat, Dec 27, 2014 at 12:22:21PM -0500, Paul Wouters wrote:

> >CT for parent domains serving entries in what should be a child
> >domain is doable I think.
> As someone told me offline, qname minimalization actually solves this
> problem.

This had occured to me, but there are some issues:

    * With "_<port>._<proto>.mxhost.example.com" one might
      now need to make 5 queries instead of 3, unless there
      is way to "tune" minimization.  I am concerned about the
      impact on latency.

    * Validating stub resolvers would need to retrieve each
      of the relevant intermediate nodes, increasing the number of
      messages sent to the recursive resolver.

    * This still might not address denial of existence "spam".

> >I've not been following the "trans" working group, is there a
> >plausible design for CT for DNSSEC, or do the problems look
> >intractable?
> That discussion has started, but the WG first wants to focus on the core
> documents and complete those before moving into the other areas such as
> DNSSEC and binary blob transparency.

Thanks for the update.  Understood.


More information about the cryptography mailing list