[arin-announce] ARIN Resource Certification Update

Mark Andrews marka at isc.org
Sun Jan 30 17:01:06 CST 2011

In message <4D457F0E.7070805 at consolejunkie.net>, Leen Besselink writes:
> Hello Carlos,
> On 01/30/2011 02:57 PM, Carlos Martinez-Cagnazzo wrote:
> > What I just don´t get if, we as a society, have created institutions
> > we trust with our *money* (AKA banks), why there can´t be institutions
> > we trust with our crypto keys. I know that banks sometimes fail, and
> > yes, probably "crypto banks" will sometimes fail as well, but on the
> > whole, the failure rate of trusted institutions can be quite low,
> > acceptably low.
> >
> Well, we tried to trust the Certificate Authorities for SSL/TLS but that
> has failed too.
> And they don't even hold private keys.
> Your browser now indirectly trusts 1000+ (sub) certificate authorities.
> Do I actually trust them all ? No, I don't but they could all sign a
> certificate for paypal.com* which my browser would trust just fine.
> A simple example is CNNIC which is a Chinese government agency, the people
> in China don't trust them, so why should I ?
> Should the browser really trust a German university to sign paypal.com* ?
> How about an agency in the United Emirates ? How about my own government ?
> Or Time Warner/AOL or Ford Motor company or Google  ?
> And so on.
> https://www.eff.org/files/colour_map_of_CAs.pdf
> https://www.eff.org/observatory
> http://www.youtube.com/watch?v=VUKCDm04AqI
> http://events.ccc.de/congress/2010/Fahrplan/events/4121.en.html
> http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse
> -a-safe-place.pdf
> At this point, I would really like to see someone implement a
> DNS-recursive nameserver which can be configured to only trust the root
> to DNSSEC-sign the root zone and nothing else. And allow
> the owners/operators/whatever of .com only allow to sign .com. Nothing more.

Every validating recursive nameserver on the planet can be configured
to do exactly that.  Just install the root's keys and don't install
any others.  You won't be able to validate as secure data from security
islands but that is what you want and is becoming less necessary as TLD
start to get signed and accept DS records.

> But that isn't really what DNSSEC was designed to do. I am however glad
> people are working on adding DNSSEC to the browser and some hash in DNS
> which tells the browser which certificate or CA's are trusted for a domain.
> Even though it seems to be going slow, because there are many reasons
> why DNSSEC won't be deployed to users any time soon.

A user can turn on DNSSEC any time they want to.  Some ISPs have already
turned on DNSSEC in their customer facing resolvers.
> * Yes, I know Paypal.com uses an EV-certificate (green bar) and there
> are a lot less CA's for that, but
> it is just an example of a website.
> How about the Chinese government reading what you do on gmail while you
> are in China ? That is
> just an example of something that does not use an EV-cert.
> I'm not satisfied with the banks in my country either. It seems in both
> cases to be a race to the bottom.
> Cuttings costs any place they can, like reducing staff. Making it harder
> and harder to use cash.
> The CA's seem to be a race to the bottom too. They are not spending
> money trying to improve their
> systems, even though the environment around them is changing. Just
> trying to make money from their
> existing business.
> Because it already is a race to the bottom, might as well offer free
> certificates so everyone can use them
> to secure any site. One CA already does this: https://www.startssl.com/
> They atleast to me seem to be
> very proactive.
> The problem with banks is, I've not found a good alternative yet.
> Fully support StartSSL and RIPE for trying to lower the bar for more
> security.
> Have a nice weekend,
>     Leen.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the NANOG mailing list