[Certsanddns] FW: [cabfman] Expert meeting on the use of DNSSEC
and X.509v3 certificates in combination
Steingruebl, Andy
asteingruebl at paypal-inc.com
Wed Jan 19 11:01:52 MST 2011
Sounds fine to me. Can we lock this down by 2-hours from now so I can finalize logistics, etc. with my folks?
Thanks
--
Andy Steingruebl
Manager, Internet Standards and Governance
PayPal Information Risk Management
(408) 967-4650
> -----Original Message-----
> From: certsanddns-bounces at cabforum.org [mailto:certsanddns-
> bounces at cabforum.org] On Behalf Of Tim Moses
> Sent: Wednesday, January 19, 2011 9:52 AM
> To: Certs and DNS industry meeting Jan 2011
> Subject: [Certsanddns] FW: [cabfman] Expert meeting on the use of DNSSEC
> and X.509v3 certificates in combination
>
> Guys - I don't see this one in my inbox. Any problem including them? All the
> best. Tim.
>
> -----Original Message-----
> From: Brian Trzupek [mailto:BTrzupek at trustwave.com]
> Sent: Wednesday, January 19, 2011 10:20 AM
> To: Tim Moses
> Subject: Fwd: [cabfman] Expert meeting on the use of DNSSEC and X.509v3
> certificates in combination
>
> Tim,
>
> Here is the email that i sent you on the 20th in RE: to the DNSSec meeting.
> We really want to have Nick there if possible. How do we work this out?
>
> Thanks,
> Brian
>
> Begin forwarded message:
>
> From: Brian Trzupek
> <BTrzupek at trustwave.com<mailto:BTrzupek at trustwave.com>>
> Date: December 20, 2010 10:25:01 AM CST
> To: "certsanddns at cabforum.org<mailto:certsanddns at cabforum.org>"
> <certsanddns at cabforum.org<mailto:certsanddns at cabforum.org>>
> Subject: Fwd: [cabfman] Expert meeting on the use of DNSSEC and X.509v3
> certificates in combination
>
> Dear all,
>
> Trustwave is interested in attending this event. Specifically we would like to
> have the leader of our application penetration testing and security practice
> participate in the event. His background and involvement on this issue is vast.
> Here is his BIO:
>
> Nicholas is Senior Vice President and Head of SpiderLabs at Trustwave. He
> has more than 14 years of information security experience. In his role at
> Trustwave, he leads SpiderLabs, the team that has performed more than
> 1000 computer incident response and forensic investigations globally,
> thousands of penetration and application security tests for clients and
> security research to improve Trustwave's products. Nicholas acts as the lead
> security advisor to many of Trustwave's premier clients by assisting them in
> making strategic decisions around various security compliance regimes.
>
> In 2004, Nicholas drafted an application security framework that became
> known as the Payment Application Best Practices (PABP). In 2008, this
> framework was adopted as a global standard called Payment Application Data
> Security Standard (PA-DSS).
>
> As a speaker, he has provided unique insight around security breaches,
> malware, mobile security and InfoSec trends to public (Black Hat, DEFCON,
> SecTor, You Sh0t the Sheriff, Malware, etc.) and private audiences
> throughout North America, South America, Europe, and Asia.
>
> Nicholas and his research has been featured by many major outlets including:
> The Washington Post, eWeek, PCWorld, CNet, Wired, Hakin9, Network
> World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO
> Magazine, CNN, The Times (London), NPR and The Wall Street Journal.
>
> Nicholas is currently a member of the Dean's Advisory Board for The College
> of Applied Science & Technology at Illinois State University.
>
> Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign
> and Internet Security Systems. Nicholas earned a Bachelor of Science in
> Computer Science from Illinois State University.
>
> Thanks,
>
> Brian Trzupek
> VP of Managed Identity and SSL
> Trustwave
> 70 West Madison Street
> Suite 1050
> Chicago, Illinois 60602
> Office: 312-873-7687
> Fax: 312-277-6767
> ssl.trustwave.com<http://ssl.trustwave.com/>
>
> Save over 50% over the competition and Upgrade to a Trustwave EV SSL
> Certificate Today!
> https://ssl.trustwave.com/campaign/ev001/
>
> Begin forwarded message:
>
> From: Tim Moses
> <tim.moses at entrust.com<mailto:tim.moses at entrust.com>>
> Date: December 20, 2010 10:16:10 AM CST
> To: "management at cabforum.org<mailto:management at cabforum.org>"
> <management at cabforum.org<mailto:management at cabforum.org>>
> Subject: [cabfman] Expert meeting on the use of DNSSEC and X.509v3
> certificates in combination
>
> Colleagues
>
> The CA/Browser Forum and the DNSSEC Coalition are holding a joint expert
> meeting to discuss the possible use of DNSSEC and X.509v3 certificates in
> combination, as outlined in the note following this announcement.
>
> The meeting will be held at:
>
> PayPal Inc.,
> 9999 N. 90th Street,
> Scottsdale,
> AZ 85258.
>
> Starting at 1:00 PM local time on the Wed 26 Jan 2011.
>
> Those interested in attending should forward a request to the organizing
> committee at:
>
> certsanddns at cabforum.org<mailto:certsanddns at cabforum.org>
>
> containing the following information:
>
> name,
> organization,
> brief background and expression of interest.
>
> By 31 Dec 2010. Those selected to attend will be notified by 7 Jan 2011.
>
> Applicants should be aware that attendance is limited to 30 people. So, it
> may not be possible to accommodate all those who express an interest in
> attending.
>
> The Organizing Committee comprises:
>
> Jim Galvin, Afilias
> Phillip Hallam-Baker, Comodo
> Ryan Koski, Go Daddy
> Tim Moses, Entrust
> Yngve Pettersen, Opera
> Andy Steingruebl, PayPal
> Ben Wilson, DigiCert
>
>
> Background
>
> There has been important progress in the deployment of DNSSEC in the past
> 12 months. And there is now a reasonable expectation that most DNS TLDs
> will be signed within the next 12 months.
>
> The question of how to deploy DNSSEC, and whether deployment is feasible,
> has opened up an opportunity to consider how DNSSEC will be used in
> practice. It would be a remarkably poor use of time and resources, for
> instance, to deploy an infrastructure as complex as DNSSEC only to deflect
> spoofing attacks from the DNS infrastructure to the BGP infrastructure. And,
> while providing an alternative to the existing market for the Certification
> Authority infrastructure that has been established over the past 15 years
> may be one use of DNSSEC, it is not the only (or even the best) use that can
> be made of it.
>
> Now that DNS registrars are at the point of deployment, questions about the
> DNSSEC business model cannot be ignored any longer. The registrars are
> being asked to make a substantial investment to support DNSSEC. And, in
> order to justify that investment, most will expect to demonstrate benefits to
> their customers that are concrete and immediate.
>
> DNSSEC is a PKI. Certification Authorities are in the business of deploying,
> managing and marketing PKIs. DNSSEC offers capabilities that the X.509v3
> model does not. And, X.509v3 is designed to support use cases that DNSSEC
> is not. Certification Authorities are also the traditional partners that DNS
> registrars have relied upon to fulfill their customers' existing PKI needs.
>
> There are many potential benefits of combining the X.509v3 and DNSSEC
> models. DNSSEC provides a key-validation mechanism that is directly tied to
> the Internet naming system: the DNS. X.509v3 provides support for Trusted
> Third Party services, including assurance that the key-holder is a legitimate
> business entity, has authorized the issuance, and can be held accountable.
>
> The practices and liability model of DNSSEC is (at best) incompletely
> documented, while X.509v3 provides a liability model that is designed to
> control risk exposure in multi-million dollar electronic contracts.
>
> Each infrastructure offers capabilities that the other does not. We can either
> attempt to grow one infrastructure to encompass the other, or we can use
> both in combination. Important areas of potential benefit include:
>
> Security Policy
> The security of SSL would be significantly improved if there were a means of
> ensuring that clients select the strongest level of security available for a site.
> While HSTS 'strict security' offers this service after first contact, DNSSEC has
> the potential to offer it on every contact.
>
> Certification Authority Authorization
> One of the biggest challenges facing a Certification Authority is avoiding
> certificate mis-issuance. Mis-issuance events can damage a CA brand for
> decades, and have led some to assert that the security of the SSL PKI is
> determined by the issuance practices of the weakest, most negligent, CA in
> the browser trust store. CAA is a proposal that uses DNS records to specify
> which CAs are authorized to issue for a given domain, thereby preventing
> this form of downgrade attack.
>
> Strong Wildcards / Ubiquitous Keying
>
> Wildcard certificates have proven benefits for certain purposes. But the lack
> of a direct binding to the actual end-entity domain name remains somewhat
> unsatisfactory. Combining wildcard certificates with DNSSEC may allow this
> limitation to be overcome.
>
> Lifecycle Management
>
> As with any PKI, DNSSEC requires support infrastructure for key lifecycle
> management. PKI vendors already provide and maintain infrastructures to
> manage the lifecycle of the cryptographic keys. Most enterprises will be best
> served by one infrastructure that can manage keys for both X.509 and
> DNSSEC.
>
> Liability control
> Early attempts to establish X.509v3 PKI were frustrated by the lack of
> consideration for the liabilities that issuing parties incur by signing public-keys
> for unspecified purposes. DNSSEC lacks the sophisticated controls that have
> been developed to control and mitigate such liabilities. But, ignoring a legal
> issue does not cause it to go away. In particular, DNSSEC does not allow a
> key-signer to specify: the practices under which the key was validated, the
> intended field of use, or what relying party expectations are reasonable.
> Simple measures would allow the existing features used to mitigate litigation
> risks in X.509v3 to be applied in the context of DNSSEC.
>
> Realizing these potential benefits represents a multi-party action problem.
> While it is easy to propose technical standards to implement such measures,
> realizing the benefits is only possible if there is common interest in
> establishing a business infrastructure to support them. Infrastructure is
> useless without applications that use it, just as applications are useless
> without the infrastructure upon which it was built to rely.
>
>
>
>
> Tim Moses
> +1 613 270 3183
More information about the Certsanddns
mailing list