Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Tony Finch dot at dotat.at
Mon Sep 12 22:00:47 UTC 2011

> > > > with dane, i trust whoever runs dns for citibank to identify the cert
> > > > for citibank.  this seems much more reasonable than other approaches,
> > > > though i admit to not having dived deeply into them all.
> > > If the root DNS keys were compromised in an all DNS rooted world...
> > > unhappiness would ensue in great volume.

Compromise of DNSSEC == compromise of one or more DNS registries.
This is a fate sharing situation. A few single points of failure
rather than hundreds.

Note that a big weak point in the DNS is the interface between the
registrars and the registry. If you have a domain you have to trust the
registry to impose suitable restrictions on its registrars to prevent a
dodgy registrar from stealing your domain. Another, of course, is the
interface between a registrar and its customers.

> It also drives up complexity too and makes you wonder what the added
> value of those cert vendors is for the money you're forking over.

During rollout the cert vendors will be providing backwards compatibility.

> Especially when you consider the criticality of dns naming for everything
> except web site host names using tls.

If a website using TLS loses its DNS then (a) you can't reach it, and (b)
the attacker can trivially obtain a new domain validated certificate.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Fisher, German Bight, Humber, Thames, Dover: Southwest 7 to severe gale 9.
Rough or very rough, becoming high in Fisher. Showers. Moderate or good.

More information about the NANOG mailing list