[Certsanddns] FW: [cabfman] Expert meeting on the use of DNSSEC and X.509v3 certificates in combination

Tim Moses tim.moses at entrust.com
Wed Jan 19 10:51:40 MST 2011 

Guys - I don't see this one in my inbox.  Any problem including them?  All the best.  Tim.

-----Original Message-----
From: Brian Trzupek [mailto:BTrzupek at trustwave.com] 
Sent: Wednesday, January 19, 2011 10:20 AM
To: Tim Moses
Subject: Fwd: [cabfman] Expert meeting on the use of DNSSEC and X.509v3 certificates in combination

Tim,

Here is the email that i sent you on the 20th in RE: to the DNSSec meeting. We really want to have Nick there if possible. How do we work this out?

Thanks,
Brian

Begin forwarded message:

From: Brian Trzupek <BTrzupek at trustwave.com<mailto:BTrzupek at trustwave.com>>
Date: December 20, 2010 10:25:01 AM CST
To: "certsanddns at cabforum.org<mailto:certsanddns at cabforum.org>" <certsanddns at cabforum.org<mailto:certsanddns at cabforum.org>>
Subject: Fwd: [cabfman] Expert meeting on the use of DNSSEC and X.509v3 certificates in combination

Dear all,

Trustwave is interested in attending this event. Specifically we would like to have the leader of our application penetration testing and security practice participate in the event. His background and involvement on this issue is vast. Here is his BIO:

Nicholas is Senior Vice President and Head of SpiderLabs at Trustwave. He has more than 14 years of information security experience. In his role at Trustwave, he leads SpiderLabs, the team that has performed more than 1000 computer incident response and forensic investigations globally, thousands of penetration and application security tests for clients and security research to improve Trustwave's products. Nicholas acts as the lead security advisor to many of Trustwave's premier clients by assisting them in making strategic decisions around various security compliance regimes.

In 2004, Nicholas drafted an application security framework that became known as the Payment Application Best Practices (PABP). In 2008, this framework was adopted as a global standard called Payment Application Data Security Standard (PA-DSS).

As a speaker, he has provided unique insight around security breaches, malware, mobile security and InfoSec trends to public (Black Hat, DEFCON, SecTor, You Sh0t the Sheriff, Malware, etc.) and private audiences throughout North America, South America, Europe, and Asia.

Nicholas and his research has been featured by many major outlets including: The Washington Post, eWeek, PCWorld, CNet, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times (London), NPR and The Wall Street Journal.

Nicholas is currently a member of the Dean's Advisory Board for The College of Applied Science & Technology at Illinois State University.

Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas earned a Bachelor of Science in Computer Science from Illinois State University.

Thanks,

Brian Trzupek
VP of Managed Identity and SSL
Trustwave
70 West Madison Street
Suite 1050
Chicago, Illinois 60602
Office: 312-873-7687
Fax: 312-277-6767
ssl.trustwave.com<http://ssl.trustwave.com/>

Save over 50% over the competition and Upgrade to a Trustwave EV SSL Certificate Today!
https://ssl.trustwave.com/campaign/ev001/

Begin forwarded message:

From: Tim Moses <tim.moses at entrust.com<mailto:tim.moses at entrust.com>>
Date: December 20, 2010 10:16:10 AM CST
To: "management at cabforum.org<mailto:management at cabforum.org>" <management at cabforum.org<mailto:management at cabforum.org>>
Subject: [cabfman] Expert meeting on the use of DNSSEC and X.509v3 certificates in combination

Colleagues

The CA/Browser Forum and the DNSSEC Coalition are holding a joint expert meeting to discuss the possible use of DNSSEC and X.509v3 certificates in combination, as outlined in the note following this announcement.

The meeting will be held at:

PayPal Inc.,
9999 N. 90th Street,
Scottsdale,
AZ 85258.

Starting at 1:00 PM local time on the Wed 26 Jan 2011.

Those interested in attending should forward a request to the organizing committee at:

certsanddns at cabforum.org<mailto:certsanddns at cabforum.org>

containing the following information:

name,
organization,
brief background and expression of interest.

By 31 Dec 2010.  Those selected to attend will be notified by 7 Jan 2011.

Applicants should be aware that attendance is limited to 30 people.  So, it may not be possible to accommodate all those who express an interest in attending.

The Organizing Committee comprises:

Jim Galvin, Afilias
Phillip Hallam-Baker, Comodo
Ryan Koski, Go Daddy
Tim Moses, Entrust
Yngve Pettersen, Opera
Andy Steingruebl, PayPal
Ben Wilson, DigiCert


Background

There has been important progress in the deployment of DNSSEC in the past 12 months.  And there is now a reasonable expectation that most DNS TLDs will be signed within the next 12 months.

The question of how to deploy DNSSEC, and whether deployment is feasible, has opened up an opportunity to consider how DNSSEC will be used in practice.  It would be a remarkably poor use of time and resources, for instance, to deploy an infrastructure as complex as DNSSEC only to deflect spoofing attacks from the DNS infrastructure to the BGP infrastructure. And, while providing an alternative to the existing market for the Certification Authority infrastructure that has been established over the past 15 years may be one use of DNSSEC, it is not the only (or even the best) use that can be made of it.

Now that DNS registrars are at the point of deployment, questions about the DNSSEC business model cannot be ignored any longer. The registrars are being asked to make a substantial investment to support DNSSEC. And, in order to justify that investment, most will expect to demonstrate benefits to their customers that are concrete and immediate.

DNSSEC is a PKI. Certification Authorities are in the business of deploying, managing and marketing PKIs. DNSSEC offers capabilities that the X.509v3 model does not.  And, X.509v3 is designed to support use cases that DNSSEC is not. Certification Authorities are also the traditional partners that DNS registrars have relied upon to fulfill their customers' existing PKI needs.

There are many potential benefits of combining the X.509v3 and DNSSEC models. DNSSEC provides a key-validation mechanism that is directly tied to the Internet naming system: the DNS. X.509v3 provides support for Trusted Third Party services, including assurance that the key-holder is a legitimate business entity, has authorized the issuance, and can be held accountable.

The practices and liability model of DNSSEC is (at best) incompletely documented, while X.509v3 provides a liability model that is designed to control risk exposure in multi-million dollar electronic contracts.

Each infrastructure offers capabilities that the other does not. We can either attempt to grow one infrastructure to encompass the other, or we can use both in combination. Important areas of potential benefit include:

Security Policy
The security of SSL would be significantly improved if there were a means of ensuring that clients select the strongest level of security available for a site. While HSTS 'strict security' offers this service after first contact, DNSSEC has the potential to offer it on every contact.

Certification Authority Authorization
One of the biggest challenges facing a Certification Authority is avoiding certificate mis-issuance. Mis-issuance events can damage a CA brand for decades, and have led some to assert that the security of the SSL PKI is determined by the issuance practices of the weakest, most negligent, CA in the browser trust store. CAA is a proposal that uses DNS records to specify which CAs are authorized to issue for a given domain, thereby preventing this form of downgrade attack.

Strong Wildcards / Ubiquitous Keying

Wildcard certificates have proven benefits for certain purposes.  But the lack of a direct binding to the actual end-entity domain name remains somewhat unsatisfactory. Combining wildcard certificates with DNSSEC may allow this limitation to be overcome.

Lifecycle Management

As with any PKI, DNSSEC requires support infrastructure for key lifecycle management. PKI vendors already provide and maintain infrastructures to manage the lifecycle of the cryptographic keys. Most enterprises will be best served by one infrastructure that can manage keys for both X.509 and DNSSEC.

Liability control
Early attempts to establish X.509v3 PKI were frustrated by the lack of consideration for the liabilities that issuing parties incur by signing public-keys for unspecified purposes. DNSSEC lacks the sophisticated controls that have been developed to control and mitigate such liabilities.  But, ignoring a legal issue does not cause it to go away. In particular, DNSSEC does not allow a key-signer to specify: the practices under which the key was validated, the intended field of use, or what relying party expectations are reasonable. Simple measures would allow the existing features used to mitigate litigation risks in X.509v3 to be applied in the context of DNSSEC.

Realizing these potential benefits represents a multi-party action problem. While it is easy to propose technical standards to implement such measures, realizing the benefits is only possible if there is common interest in establishing a business infrastructure to support them. Infrastructure is useless without applications that use it, just as applications are useless without the infrastructure upon which it was built to rely.




Tim Moses
+1 613 270 3183

-------------- next part --------------
_______________________________________________


Management mailing list


Management at cabforum.org


http://cabforum.org/mailman/listinfo/management


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/certsanddns/attachments/20110119/855ded10/ATT00001..htm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/certsanddns/attachments/20110119/855ded10/ATT00001.-0001.htm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/certsanddns/attachments/20110119/855ded10/ATT00002..htm

More information about the Certsanddns mailing list