On Sat, 10 Apr 2021 at 21:40, Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote:
On Sat, Apr 10, 2021 at 12:59:34PM -0700, Michael Thomas wrote:
> Let me ask a pointed question: if we used DANE+DNSSec do we have confidence
> in the security of the solution? I think we'd have to have a lot of
> confidence in both that they are really ready for prime time.
I do, for the reasons I gave. It can't be worse than WebPKI, that's for
sure.
It is not for sure, because DNS has no transparency requirements.
At least in a pre-post-quantum world. In a PQ world I suspect
we'd want to have something more akin to a PKI + Needham-Schroeder to
optimize PQ PK.
I think I would prefer a single-root PKIX PKI with name constraints to
DNSSEC/DANE. Perhaps we can still get that by getting registries/
registrars to operate name-constrained CAs, and replace WebPKI with a
DNS-parallel PKI. But at this point DNSSEC/DANE seems much more
realistic as a way to get to a single-root name constrained PKI for
domainnames. Also, DNSSEC can do secure denial of existence while PKIX
cannot because wheras DNSSEC is based on a directory (DNS), x.509/PKIX,
though it was meant to be used with directories (DAP) doesn't really
have a viable global directory scheme (imagine using LDAP as we use
DNS!), and doesn't have a directory that can do secure denial of
existence either.
Nico
--
