[dns-operations] 答复: [DNSOP] DNSSEC threshold signatures idea

Fri Sep 7 04:51:06 UTC 2018

Hi Mukund，

Thank you for proposing here for comments and discussion. I would like to
share more background on this if people are interested. 

Actually I was inspired by several sources. One is the Multisignature
(https://en.bitcoin.it/wiki/Multisignature ) concept from Bitcoin which help
to reduce the risk of wallet keys be stolen.

One is from Yeti work we are doing where Hugo gave me some ideas. In Yeti
testbed, we try to implement the concept of "Share Zone Control" proposed by
PVM in ICANN ITI report. We firstly constructed the root system with 3
signers (3ZSK and 1 KSK) . We would like improve this system with more
fault-tolerant property and less dependency on a central entity. There is a
post I put in Yeti blog (https://goo.gl/7i4NxB ). 

When I survey on this, I learnt some concept of threshold signature
algorithms in the crypto academic field, like BLS , Boldyreva and PBC
(Pairing based crypto). But I'm not a crypto guys . I'm just looking for
mature and reliable crypto tool to fit my case, then we can test and try it
in existing testbed. Maybe people on this mailing list can help.

Best regares,
Davey

> -----邮件原件-----
> 发件人: DNSOP [mailto:dnsop-bounces at ietf.org] 代表 Mukund Sivaraman
> 发送时间: 2018年9月7日 0:13
> 收件人: dnsop at ietf.org; dns-operations at dns-oarc.net
> 主题: [DNSOP] DNSSEC threshold signatures idea
> 
> During a coversation about the Yeti project, Davey Song brought up an idea
> about using threshold signatures within DNSSEC. While he talked about it
> primarily for the root zone within the context of having multiple signers
for it,
> I'm curious to know what operators think about the concept for other
zones,
> and if there's any interest in having a working implementation.
> 
> DNSKEY RRs contain public keys. Corresponding secret keys are managed by
> signing entities in various ways:
> 
> * It may be for a low-risk zone and a human may leave the key on the
>   nameserver itself
> 
> * The key may be held by some number of trustworthy staff offline and
>   when signing is required, one of them signs the zone and returns the
>   signed zone
> 
> * It may be managed by an automated system under the control of one or
>   more people
> 
> * It may be held in a locked computer system which may be accessed when
>   multiple trustworthy "keepers" are present
> 
> * There may be schemes like this:
>   https://www.icann.org/news/blog/the-problem-with-the-seven-keys
> 
> In many of these cases, it may be possible for one rogue person to sign
records
> against the wish of the rest of the trustworthy group appointed by a zone
> owner. Even though it's unlikely, it's possible to do so because the
control over
> secret key material may be available to one person, even if it is wrapped
in
> multiple layers.
> 
> The concept of threshold crypto is that there is a public DNSKEY, for
which the
> secret key is not available in a single form where it can be
reconstructed.
> Instead, N members of a group have some key material each respectively,
and
> any M (< N) members of the group may work together to prepare RRSIGs by
> using their respective key materials individually, and collaborating to
generate
> the signatures.
> 
> It may be possible for such a scheme to be compatible with existing DNSSEC
> algorithms. Is there any operator interest in this?
> 
> 		Mukund
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP at ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop