On 4/10/21 1:39 PM, Nico Williams wrote:
On Sat, Apr 10, 2021 at 12:59:34PM -0700, Michael Thomas wrote:
Let me ask a pointed question: if we used DANE+DNSSec do we have confidence
in the security of the solution? I think we'd have to have a lot of
confidence in both that they are really ready for prime time.
I do, for the reasons I gave. It can't be worse than WebPKI, that's for
sure. At least in a pre-post-quantum world. In a PQ world I suspect
we'd want to have something more akin to a PKI + Needham-Schroeder to
optimize PQ PK.
I think I would prefer a single-root PKIX PKI with name constraints to
DNSSEC/DANE. Perhaps we can still get that by getting registries/
registrars to operate name-constrained CAs, and replace WebPKI with a
DNS-parallel PKI. But at this point DNSSEC/DANE seems much more
realistic as a way to get to a single-root name constrained PKI for
domainnames. Also, DNSSEC can do secure denial of existence while PKIX
cannot because wheras DNSSEC is based on a directory (DNS), x.509/PKIX,
though it was meant to be used with directories (DAP) doesn't really
have a viable global directory scheme (imagine using LDAP as we use
DNS!), and doesn't have a directory that can do secure denial of
existence either.
My take on DNSSec is that I only understand some of the large contours
but that I trust that IETF process would not produce something a
complete flop from a technical standpoint, though that does happen too.
But DNS is pretty damn important, so I hope the clue level looking it
was intense. The biggest IETF failing is solving problems nobody needs
solved. Maybe DANE can be a sleeper that was just ahead of its time.
