--On Friday, September 06, 2013 17:11 +0100 Tony Finch
<dot@xxxxxxxx> wrote:
> John C Klensin <john@xxxxxxx> wrote:
>>
>> Please correct me if I'm wrong, but it seems to me that
>> DANE-like approaches are significantly better than traditional
>> PKI ones only to the extent to which:
>...
> Yes, but there are some compensating pluses:
Please note that I didn't say "worse", only "not significantly
better".
> You can get a meaningful improvement to your security by good
> choice of registrar (and registry if you have flexibility in
> your choice of name). Other weak registries and registrars
> don't reduce your DNSSEC security, whereas PKIX is only as
> secure as the weakest CA.
Yes and no. Certainly I can improve my security as you note. I
can also improve the security of a traditional certificate by
selecting from only those CAs who require a high degree of
assurance that I am who I say I am. But, from the standpoint of
a casual user using readily-available and understandable tools
(see my recent note) and encountering a key or signature from
someone she doesn't know already, there is little or no way to
tell whether the owner of that key used a reliable registrar or
a sleazy one or, for the PKI case, a high-assurance and reliable
CA or one whose certification criterion is the applicant's
ability to pay. There are still differences and I don't mean to
dismiss them.I just don't think we should exaggerate their
significance.
And, yes, part of what I'm concerned about is the very ugly
problem of whether, if I encounter an email address and key for
TonyFinch@xxxxxxxxxxxxxxxx or, (slightly) worse, in one of the
thousand new TLDs that ICANN assures us will improve the quality
of their lives, how I determine whether that is you, some other
Tony Finch who claims expertise in email, or Betty Attacker
Bloggs pretending to be one of you. As Pete has suggested, one
way to do that is to set up an encrypted connection without
worrying much about authentication and then quiz each other
about things that Tony(2), Betty, or John(2) are unlikely to
know until we are confident enough for the purposes. But,
otherwise....
By contrast, if I know a priori that the Tony Finch I'm
concerned about is the person who controls dotat.at and you know
that the John Klensin you are concerned about is the person who
controls jck.com, and both of us are using addresses in those
domains with which we have been familiar for years, then the
task is much easier with either a PKI or DANE -- and certainly
more convenient and reliable with the latter because we know
each other well enough, even if mostly virtually, to be
confident that the other is unlikely to be dealing with
registrars or registries who would deliberately enable domain or
key impersonation. Nor would either of us be likely to be quiet
about such practices if they were discovered.
> An attacker can use a compromise of your DNS infrastructure to
> get a certificate from a conventional CA, just as much as they
> could compromise DNSSEC-based service authentication.
Exactly. Again, my point in this note and the one I sent to the
list earlier today about the PGP-PKI relationship is that we
should understand and take advantage of the differences among
systems if and when we can, but that it is a bad idea to
exaggerate those advantages or differences.
john