[Certsanddns] [SPAM] FW: Wed 26 Jan 2011 - Meeting on Possible use of DNSSEC and X.509v3 certificates in combination

Thuy LeDinh tledinh at pir.org
Mon Jan 10 12:15:57 MST 2011 

-

 

I would like to be a part of this meeting if space remains.  I would be
there in an observer capacity from ICANN.

 

1. Name - Richard Lamb,  DNSSEC Program Manager and DNSSEC root system
architect

2. Organization - ICANN

3. Brief background and expression of interest.

 

My interest is in gaining a greater understanding of the details of this
primary motivator for registrars to securely support DNSSEC.   This will
help me promulgate an accurate message during my road shows.

 

Bio: http://www.icann.org/en/biog/lamb.htm

 

-Rick

 

 

From: Thuy LeDinh [mailto:tledinh at pir.org] 
Sent: Wednesday, January 05, 2011 7:31 PM
To: James M. Galvin
Subject: Wed 26 Jan 2011 - Meeting on Possible use of DNSSEC and X.509v3
certificates in combination

 

Dear Colleagues,

 

The CA/Browser Forum and the DNSSEC Coalition are holding a joint expert
meeting to discuss the possible use of DNSSEC and X.509v3 certificates
in combination, as outlined in the note following this announcement.

 

  The meeting will be held at:

 PayPal Inc.,

  9999 N. 90th Street,

  Scottsdale,

  AZ 85258.

 

  Starting at 1:00 PM local time on the Wed 26 Jan 2011.

 

Those interested in attending should forward a request to the organizing
committee at: certsanddns at cabforum.org containing the following
information:

 

1. Name,

2. Organization,

3. Brief background and expression of interest.

 

Please submit by 10 Jan 2011.  Those selected to attend will be notified
by 14 Jan 2011.

 

Applicants should be aware that attendance is limited to 30 people. So,
it may not be possible to accommodate all those who express an interest
in attending.

 

The Organizing Committee comprises:

Jim Galvin, Afilias

Phillip Hallam-Baker, Comodo

Ryan Koski, Go Daddy

Tim Moses, Entrust

Yngve Pettersen, Opera

Andy Steingruebl, PayPal

Ben Wilson, DigiCert

 

 

Background

There has been important progress in the deployment of DNSSEC in the
past 12 months.  And there is now a reasonable expectation that most DNS
TLDs will be signed within the next 12 months.

 

The question of how to deploy DNSSEC, and whether deployment is
feasible, has opened up an opportunity to consider how DNSSEC will be
used in practice.  It would be a remarkably poor use of time and
resources, for instance, to deploy an infrastructure as complex as
DNSSEC only to deflect spoofing attacks from the DNS infrastructure to
the BGP infrastructure. And, while providing an alternative to the
existing market for the Certification Authority infrastructure that has
been established over the past 15 years may be one use of DNSSEC, it is
not the only (or even the best) use that can be made of it.

 

Now that DNS registrars are at the point of deployment, questions about
the DNSSEC business model cannot be ignored any longer. The registrars
are being asked to make a substantial investment to support DNSSEC. And,
in order to justify that investment, most will expect to demonstrate
benefits to their customers that are concrete and immediate.

 

DNSSEC is a PKI. Certification Authorities are in the business of
deploying, managing and marketing PKIs. DNSSEC offers capabilities that
the X.509v3 model does not.  And, X.509v3 is designed to support use
cases that DNSSEC is not. Certification Authorities are also the
traditional partners that DNS registrars have relied upon to fulfill
their customers' existing PKI needs.

 

There are many potential benefits of combining the X.509v3 and DNSSEC
models. DNSSEC provides a key-validation mechanism that is directly tied
to the Internet naming system: the DNS. X.509v3 provides support for
Trusted Third Party services, including assurance that the key-holder is
a legitimate business entity, has authorized the issuance, and can be
held accountable.

 

The practices and liability model of DNSSEC is (at best) incompletely
documented, while X.509v3 provides a liability model that is designed to
control risk exposure in multi-million dollar electronic contracts.

 

Each infrastructure offers capabilities that the other does not. We can
either attempt to grow one infrastructure to encompass the other, or we
can use both in combination. Important areas of potential benefit
include:

 

Security Policy

The security of SSL would be significantly improved if there were a
means of ensuring that clients select the strongest level of security
available for a site. While HSTS 'strict security' offers this service
after first contact, DNSSEC has the potential to offer it on every
contact.

 

Certification Authority Authorization

One of the biggest challenges facing a Certification Authority is
avoiding certificate mis-issuance. Mis-issuance events can damage a CA
brand for decades, and have led some to assert that the security of the
SSL PKI is determined by the issuance practices of the weakest, most
negligent, CA in the browser trust store. CAA is a proposal that uses
DNS records to specify which CAs are authorized to issue for a given
domain, thereby preventing this form of downgrade attack.

 

Strong Wildcards / Ubiquitous Keying

Wildcard certificates have proven benefits for certain purposes.  But
the lack of a direct binding to the actual end-entity domain name
remains somewhat unsatisfactory. Combining wildcard certificates with
DNSSEC may allow this limitation to be overcome.

 

Lifecycle Management

As with any PKI, DNSSEC requires support infrastructure for key
lifecycle management. PKI vendors already provide and maintain
infrastructures to manage the lifecycle of the cryptographic keys. Most
enterprises will be best served by one infrastructure that can manage
keys for both X.509 and DNSSEC.

 

Liability control

Early attempts to establish X.509v3 PKI were frustrated by the lack of
consideration for the liabilities that issuing parties incur by signing
public-keys for unspecified purposes. DNSSEC lacks the sophisticated
controls that have been developed to control and mitigate such
liabilities.  But, ignoring a legal issue does not cause it to go away.
In particular, DNSSEC does not allow a key-signer to specify: the
practices under which the key was validated, the intended field of use,
or what relying party expectations are reasonable. Simple measures would
allow the existing features used to mitigate litigation risks in X.509v3
to be applied in the context of DNSSEC.

 

Realizing these potential benefits represents a multi-party action
problem. While it is easy to propose technical standards to implement
such measures, realizing the benefits is only possible if there is
common interest in establishing a business infrastructure to support
them. Infrastructure is useless without applications that use it, just
as applications are useless without the infrastructure upon which it was
built to rely.

 

 

________________________________

 

.ORG, The Public Interest Registry

Mobile:+1 703-929-6395  |  www.pir.org <http://www.pir.org/>  |  

 

Find us on Facebook <http://www.facebook.com/pir.org>   |  .ORG Blog
<http://www.pir.org/orgbuzz>  | Flickr <http://flickr.com/orgbuzz>  |
YouTube <http://youtube.com/orgbuzz>  | Twitter
<http://twitter.com/ORGBuzz>  |

 

Confidentiality Note:  Proprietary and confidential to .ORG, The Public
Interest Registry.  If received in error, please inform sender and then
delete.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/certsanddns/attachments/20110110/c40d618a/attachment.html

More information about the Certsanddns mailing list