[Certsanddns] RE: Wed 26 Jan 2011 - Meeting on Possible
use of DNSSEC and X.509v3 certificates in combination
James M Galvin
jgalvin at afilias.info
Fri Jan 21 14:15:49 MST 2011
Great. I've already sent Rick a note and suggested the teleconference.
So, let's let that play out first and keep his attendance as a backup
for now.
Thanks!
Jim
-- On January 21, 2011 2:02:17 PM -0700 "Steingruebl, Andy"
<asteingruebl at paypal-inc.com> wrote regarding RE: [Certsanddns] RE: Wed
26 Jan 2011 - Meeting on Possible use of DNSSEC and X.509v3
certificates in combination --
> That said, I'm sure I can fit one more...
>
> --
> Andy Steingruebl
> Manager, Internet Standards and Governance
> PayPal Information Risk Management
> (408) 967-4650
>
>
> > -----Original Message-----
> > From: certsanddns-bounces at cabforum.org [mailto:certsanddns-
> > bounces at cabforum.org] On Behalf Of James M Galvin
> > Sent: Friday, January 21, 2011 12:58 PM
> > To: Tim Moses; certsanddns at cabforum.org
> > Subject: RE: [Certsanddns] RE: Wed 26 Jan 2011 - Meeting on
> > Possible use of DNSSEC and X.509v3 certificates in combination
> >
> > I told Rick to send his query about status to this group when he
> > inquired to me privately. However, he had not indicated that his
> > request went to Thuy originally.
> >
> > Now that I see his original request and further see that he
> > considered himself an observer, let me see if just listening via
> > teleconference will satisfy his needs. That would make this easy
> > for us to address.
> >
> > I'll report back.
> >
> > Jim
> >
> >
> >
> >
> > -- On January 21, 2011 3:47:19 PM -0500 Tim Moses
> > <tim.moses at entrust.com> wrote regarding RE: [Certsanddns] RE: Wed 26
> > Jan 2011 - Meeting on Possible use of DNSSEC and X.509v3
> > certificates in combination --
> >
> > >
> > >
> > > Colleagues – As far as I can tell, this request didn’t get to
> > > us.
> > >
> > >
> > >
> > > Jim – Are you able to deal with it? I’m off the air until
> > > Wednesday.
> > >
> > >
> > >
> > > Thanks a lot. All the best. Tim.
> > >
> > >
> > >
> > >
> > > From: certsanddns-bounces at cabforum.org
> > > [mailto:certsanddns-bounces at cabforum.org] On Behalf Of Richard
> > > Lamb Sent: Friday, January 21, 2011 3:26 PM
> > > To: certsanddns at cabforum.org
> > > Cc: Thuy LeDinh
> > > Subject: [Certsanddns] RE: Wed 26 Jan 2011 - Meeting on Possible
> > > use of DNSSEC and X.509v3 certificates in combination
> > >
> > >
> > >
> > > To whom it may concern-
> > >
> > >
> > >
> > > Any idea what happened to my original request below?
> > >
> > > If my attendance is not possible, is it possible to get dial in
> > > information?
> > >
> > >
> > >
> > > Thank You,
> > >
> > > Rick Lamb
> > >
> > > DNSSEC Program Manager
> > >
> > > ICANN
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Richard Lamb
> > > Sent: Monday, January 10, 2011 10:59 AM
> > > To: 'Thuy LeDinh'
> > > Subject: RE: Wed 26 Jan 2011 - Meeting on Possible use of DNSSEC
> > > and X.509v3 certificates in combination
> > >
> > >
> > >
> > > Thuy--
> > >
> > >
> > >
> > > I would like to be a part of this meeting if space remains. I
> > > would be there in an observer capacity from ICANN.
> > >
> > >
> > >
> > > 1. Name – Richard Lamb, DNSSEC Program Manager and DNSSEC root
> > > system architect
> > >
> > > 2. Organization - ICANN
> > >
> > > 3. Brief background and expression of interest.
> > >
> > >
> > >
> > > My interest is in gaining a greater understanding of the details
> > > of this primary motivator for registrars to securely support
> > > DNSSEC. This will help me promulgate an accurate message during
> > > my road shows.
> > >
> > >
> > >
> > > -Rick
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Thuy LeDinh [mailto:tledinh at pir.org]
> > > Sent: Wednesday, January 05, 2011 7:31 PM
> > > To: James M. Galvin
> > > Subject: Wed 26 Jan 2011 - Meeting on Possible use of DNSSEC and
> > > X.509v3 certificates in combination
> > >
> > >
> > >
> > > Dear Colleagues,
> > >
> > >
> > >
> > > The CA/Browser Forum and the DNSSEC Coalition are holding a joint
> > > expert meeting to discuss the possible use of DNSSEC and X.509v3
> > > certificates in combination, as outlined in the note following
> > > this announcement.
> > >
> > >
> > >
> > > The meeting will be held at:
> > >
> > > PayPal Inc.,
> > >
> > > 9999 N. 90th Street,
> > >
> > > Scottsdale,
> > >
> > > AZ 85258.
> > >
> > >
> > >
> > > Starting at 1:00 PM local time on the Wed 26 Jan 2011.
> > >
> > >
> > >
> > > Those interested in attending should forward a request to the
> > > organizing committee at: certsanddns at cabforum.org containing the
> > > following information:
> > >
> > >
> > >
> > > 1. Name,
> > >
> > > 2. Organization,
> > >
> > > 3. Brief background and expression of interest.
> > >
> > >
> > >
> > > Please submit by 10 Jan 2011. Those selected to attend will be
> > > notified by 14 Jan 2011.
> > >
> > >
> > >
> > > Applicants should be aware that attendance is limited to 30
> > > people. So, it may not be possible to accommodate all those who
> > > express an interest in attending.
> > >
> > >
> > >
> > > The Organizing Committee comprises:
> > >
> > > Jim Galvin, Afilias
> > >
> > > Phillip Hallam-Baker, Comodo
> > >
> > > Ryan Koski, Go Daddy
> > >
> > > Tim Moses, Entrust
> > >
> > > Yngve Pettersen, Opera
> > >
> > > Andy Steingruebl, PayPal
> > >
> > > Ben Wilson, DigiCert
> > >
> > >
> > >
> > >
> > >
> > > Background
> > >
> > > There has been important progress in the deployment of DNSSEC in
> > > the past 12 months. And there is now a reasonable expectation
> > > that most DNS TLDs will be signed within the next 12 months.
> > >
> > >
> > >
> > > The question of how to deploy DNSSEC, and whether deployment is
> > > feasible, has opened up an opportunity to consider how DNSSEC
> > > will be used in practice. It would be a remarkably poor use of
> > > time and resources, for instance, to deploy an infrastructure as
> > > complex as DNSSEC only to deflect spoofing attacks from the DNS
> > > infrastructure to the BGP infrastructure. And, while providing an
> > > alternative to the existing market for the Certification
> > > Authority infrastructure that has been established over the past
> > > 15 years may be one use of DNSSEC, it is not the only (or even
> > > the best) use that can be made of it.
> > >
> > >
> > >
> > > Now that DNS registrars are at the point of deployment, questions
> > > about the DNSSEC business model cannot be ignored any longer. The
> > > registrars are being asked to make a substantial investment to
> > > support DNSSEC. And, in order to justify that investment, most
> > > will expect to demonstrate benefits to their customers that are
> > > concrete and immediate.
> > >
> > >
> > >
> > > DNSSEC is a PKI. Certification Authorities are in the business of
> > > deploying, managing and marketing PKIs. DNSSEC offers capabilities
> > > that the X.509v3 model does not. And, X.509v3 is designed to
> > > support use cases that DNSSEC is not. Certification Authorities
> > > are also the traditional partners that DNS registrars have relied
> > > upon to fulfill their customers’ existing PKI needs.
> > >
> > >
> > >
> > > There are many potential benefits of combining the X.509v3 and
> > > DNSSEC models. DNSSEC provides a key-validation mechanism that is
> > > directly tied to the Internet naming system: the DNS. X.509v3
> > > provides support for Trusted Third Party services, including
> > > assurance that the key-holder is a legitimate business entity,
> > > has authorized the issuance, and can be held accountable.
> > >
> > >
> > >
> > > The practices and liability model of DNSSEC is (at best)
> > > incompletely documented, while X.509v3 provides a liability model
> > > that is designed to control risk exposure in multi-million dollar
> > > electronic contracts.
> > >
> > >
> > >
> > > Each infrastructure offers capabilities that the other does not.
> > > We can either attempt to grow one infrastructure to encompass the
> > > other, or we can use both in combination. Important areas of
> > > potential benefit include:
> > >
> > >
> > >
> > > Security Policy
> > >
> > > The security of SSL would be significantly improved if there were
> > > a means of ensuring that clients select the strongest level of
> > > security available for a site. While HSTS 'strict security'
> > > offers this service after first contact, DNSSEC has the potential
> > > to offer it on every contact.
> > >
> > >
> > >
> > > Certification Authority Authorization
> > >
> > > One of the biggest challenges facing a Certification Authority is
> > > avoiding certificate mis-issuance. Mis-issuance events can damage
> > > a CA brand for decades, and have led some to assert that the
> > > security of the SSL PKI is determined by the issuance practices
> > > of the weakest, most negligent, CA in the browser trust store.
> > > CAA is a proposal that uses DNS records to specify which CAs are
> > > authorized to issue for a given domain, thereby preventing this
> > > form of downgrade attack.
> > >
> > >
> > >
> > > Strong Wildcards / Ubiquitous Keying
> > >
> > > Wildcard certificates have proven benefits for certain purposes.
> > > But the lack of a direct binding to the actual end-entity domain
> > > name remains somewhat unsatisfactory. Combining wildcard
> > > certificates with DNSSEC may allow this limitation to be overcome.
> > >
> > >
> > >
> > > Lifecycle Management
> > >
> > > As with any PKI, DNSSEC requires support infrastructure for key
> > > lifecycle management. PKI vendors already provide and maintain
> > > infrastructures to manage the lifecycle of the cryptographic keys.
> > > Most enterprises will be best served by one infrastructure that
> > > can manage keys for both X.509 and DNSSEC.
> > >
> > >
> > >
> > > Liability control
> > >
> > > Early attempts to establish X.509v3 PKI were frustrated by the
> > > lack of consideration for the liabilities that issuing parties
> > > incur by signing public-keys for unspecified purposes. DNSSEC
> > > lacks the sophisticated controls that have been developed to
> > > control and mitigate such liabilities. But, ignoring a legal
> > > issue does not cause it to go away. In particular, DNSSEC does
> > > not allow a key-signer to specify: the practices under which the
> > > key was validated, the intended field of use, or what relying
> > > party expectations are reasonable. Simple measures would allow
> > > the existing features used to mitigate litigation risks in
> > > X.509v3 to be applied in the context of DNSSEC.
> > >
> > >
> > >
> > > Realizing these potential benefits represents a multi-party action
> > > problem. While it is easy to propose technical standards to
> > > implement such measures, realizing the benefits is only possible
> > > if there is common interest in establishing a business
> > > infrastructure to support them. Infrastructure is useless without
> > > applications that use it, just as applications are useless
> > > without the infrastructure upon which it was built to rely.
> > >
> > >
> > >
> > >
> > >
> > > __________________________________________________
> > >
> > >
> > >
> > > .ORG, The Public Interest Registry
> > >
> > > Mobile:+1 703-929-6395 | www.pir.org |
> > >
> > >
> > >
> > > Find us on Facebook | .ORG Blog | Flickr | YouTube | Twitter |
> > >
> > >
> > >
> > > Confidentiality Note: Proprietary and confidential to .ORG, The
> > > Public Interest Registry. If received in error, please inform
> > > sender and then delete.
> > >
> > >
> >
> >
> > _______________________________________________
> > Certsanddns mailing list
> > Certsanddns at cabforum.org
> > http://cabforum.org/mailman/listinfo/certsanddns
More information about the Certsanddns
mailing list