To:
Steve Hanna <steve.hanna@sun.com>
Cc:
Simon Josefsson <simon+keydist@josefsson.org>, Edward Lewis <lewis@tislabs.com>, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
14 Jan 2002 15:09:52 -0500
In-Reply-To:
<3C4336C1.CBFA7566@sun.com>
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject:
Re: looking for draft volunteers
Steve Hanna <steve.hanna@sun.com> writes:
> Good summary. A few comments on your text:
>
> > "Store referral in DNS, retrieve keys via other protocols"
> >
> > This is possible now using, e.g., SRV and LDAP.
> >
> > Requires LDAP over TLS or similar.
>
> Plain LDAP is fine if you're retrieving certs instead of raw keys.
> When using certs, the application's trust in the key comes from
> the fact that the cert was signed by a trusted party, not that it
> came from a particular repository.
That's not true... If you ask for cert X and Mallet hands you cert X'
(signed by CA'), you have no way to know that you've been attacked and
given X' and not X. If, however, there is a clear line of signatures
from the name you asked for to the data you receive, then you know
that you received the right pile-o-bits.
In other words, the referral (to LDAP) must be signed and must give
you a signed hint of the key used to authenticate LDAP. Otherwise you
are still subject to this spoofing attack. Yes, you are subject to
this even with signed certificates -- I only need to find one of your
list of hundreds of CAs that will grant be a certificate and I can
mount this attack.
Note that the reason this attack can happen is because all your
trusted CAs are authoritative for all names, so there is no what to
know that joe-random-CA (which is in your list of trusted CAs)
shouldn't be signing a certificate for Sun.COM. If Sun.COM wanted to
get a cert from joe-random-CA, they could, but there is no way to know
whether the joe-random-CA Sun.COM cert or the mighty-big-CA Sun.COM
cert is the "right" one.
> Since you're trying to be even-handed and discuss how each mechanism
> would work with certs *or* keys, I suggest you change the last
> sentence here to say "If raw keys are used, DNSSEC and LDAP over
> TLS or something similar is required. If certs are used, plain
> DNS and LDAP are fine."
As I just pointed out, it is not. You still need LDAP over TLS with
either the SSL key or key fingerprint signed by DNSSec.
> > Requirements on a Solution
> >
> > "MUST be possible to locate application keys given only IP address
> > or hostname"
>
> You also need *some* sort of trusted key (DNS or PKI). Otherwise,
> you're wide open for impersonation. Note that the first use case for
> SSH above seems to suffer from this problem. You only brought one
> key, the SSH host key for beagle. Now that machine is down. You're
> SOL unless you also have another trusted key.
I think the assumption is 'some DNSSec key'...
> -Steve
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available