[Cryptography] distrusted root CA: WoSign

Ben Laurie ben at links.org
Sun Oct 2 13:33:54 EDT 2016 

On 2 October 2016 at 04:42, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
> On Sat, Oct 01, 2016 at 11:02:19PM +0100, Ben Laurie wrote:
>
>> Alternatives like DANE are just shuffling the deck chairs on the
>> Titanic. What can you do that is radically better than CAs +
>> transparency?
>
> Well, DANE is strictly stronger than DV, because it is tied to
> direct evidence of domain control, via the domain management account
> of the domain owner at the registrar/registry that publishes the
> DS records on the owner's behalf.
>
> Whereas, DV is a point in time, MiTM-vulnerable, leap-of-faith by
> any one of a multiplicity of CAs that perform cursory "verification"
> of domain control.

I don't understand why that makes DANE strictly better.

* point in time applies to both protocols, surely? Except in the DANE
case the "point" is every time the DNS lookup is done - i.e. far more
often than in DV.

* cursory "verification" of domain control is common to both protocols.

* DNS registries/registrars have a _far_ worse track record than CAs do.

> So DANE would certainly be progress, but it is
> not currently practical for mobile clients that find themselves
> regularly on airport WiFi networks, hotel captive-portal networks,
> and other DNSSEC-unfriendly environments.  DANE stapling is still
> on the drawing board, in part waiting for the TLS WG to be less
> attention starved by TLS 1.3 to the exclusion of much other work.

Chrome did support it for a while. No-one used it. Probably it was
premature, unfortunately.

> Which is not to say that transparency is a bad idea.  We each have
> technologies we've invested a bunch of effort into, there's no need
> to disparage either, they each have their place.  DANE is well
> suited to SMTP + STARTTLS, CT is more applicable to the Web.

DNSSEC also needs transparency, for exactly the same reason CAs do.
And there needs to be a way to kick DNS registries/registrars out (for
being crap), which doesn't appear to exist currently.

Transparency is orthogonal to the protocol that is being transparented.

More information about the cryptography mailing list