Re: Leveraging trust

["James Seng" <jseng@pobox.org.sg>]

I know we are still divided on the issue of trust model, whether it is in
scope or not.

The difficulty of discussion trust model for keys distribution, especially
using DNS, is that it is build on one and only one model - hierarchy.
Hierarachy, single root, is the only model we know that scale in Internet,
we should not ignore that there are other model which also works in large
scale (See phone numbers).

I believe we should look at DNS as just another key distribution mechanism.
The goal here is how to distribute keys over DNS "securely". Here, I define
"securely" as only data integrity. And we have to limit the applications of
these keys, specifying where it would be useful (e.g. SSH, IPSEC) and where
it is not (e.g. wire transfer).

The authentication of the keys and the trust model to do that key
verification is another aspect of the bigger problem someone have to solve.
Someone could be someone else, not neccessary us. Or it could be tackle when
we finish the first goal. However, to squeeze these two topic together is
getting no where.

Lets get our priority correct and then proceed one step at a time.

-James Seng

> There seems to be some disagreement on whether leveraging trust is a
> problem or not.
>
> Assume for a moment that DNSSEC has a signed root and a sequence of signed
> zones down to a point in the DNS, and that point either has a key for an
> application or indicates where a key can be found.
>
> On the other hand assume that it is up to each instance of an application
> (eg a server in a server/client application) to distribute the keys
without
> DNS.
>
> In the first situation, by distributing the one root key, one can validate
> all other information in the DNS.  Of course, if that root key is "broken"
> then everything is vulnerable.  In the second situation, each and every
> instance has to distribute the key, but there is no single achillies heel.
>
> >From the point of view of a single instance, distributing individual keys
> looks to be more promising that a root key because the workload is the
same
> (perhaps less) and there is no larger fallout of breaking the one
> distributed key.  (If I'm only interested in a single instance, then
> fallout isn't a concern, and basically the two approaches the the same.)
>
> But if I want to scale the distribution model, I see a tradeoff of a
single
> key breaking versus the vulnerability of a lot of key distribution work.
> This is in essence the tradeoff of DNS versus no DNS bootstrap.
>
> It seems to me that it is worth strengthening the security of the root
> rather than just dismissing them out of hand.  Yes, a single root is a
> vulnerable point, but is there any other way to address scaleability?
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis                                                NAI Labs
> Phone: +1 443-259-2352                      Email: lewis@tislabs.com
>
> Opinions expressed are property of my evil twin, not my employer.
>
>