[dns-operations] DNSSEC deployment incentives

Warren Kumari warren at kumari.net
Wed Jun 19 15:07:21 UTC 2019


On Wed, Jun 19, 2019 at 10:42 AM Shumon Huque <shuque at gmail.com> wrote:
>
> On Wed, Jun 19, 2019 at 9:01 AM Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>>
>>
>>>
>>> > And BTW: If we count trust roots the way that the EFF did, DNSSEC has a
>>> > million trust roots (or however many zones are signed) not one. It was an
>>> > utterly bogus comparison.
>>>
>>> This is in turn a false analogy.
>>
>>
>> No, the analogy is exact, The DFN root also constrained the sub-CAs so that they could not issue an arbitrary certificate. This was pointed out to the EFF, they chose not to correct.
>
>
> Hi Phil,
>
> Can you provide a pointer to this EFF study?
>

I'm assuming that Phillip it referring to the EFF SSL Observatory -
https://www.eff.org/observatory and the "650-odd organizations that
**function as** Certificate Authorities trusted (directly or
indirectly) by Mozilla or Microsoft." (emphasis mine).
There was a web based interface which has since been shut down, but
instructions to spin up your own under AWS  / EC2 are here:
https://www.eff.org/pages/howto-using-ssl-observatory-cloud

There is a lot a revisionist history in this thread that I'm simply
staying out of, but this seemed like a simply factual pointer I could
add.

W

> The study that most people cite is this one by the University of Michigan from IMC, 2013:
>
>     https://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
>
> Admittedly, it's a bit dated, and I'm sure CT etc have improved things some, but this paper does not paint a pretty picture.
>
> They find ~ 1800 distinct CAs including root CAs and sub-CAs issued to organizations, controlled by 683 distinct organizations. Only a tiny minority of the sub-CAs actually had a Name Constraints extension, so most of them were in effect unconstrained in their ability to issue. (Let's disregard for the time being that the observed Name Constraints were not marked 'Critical', so were in effect optional for relying party software).
>
> Have the findings in that paper been challenged or debunked? If so, I haven't seen it. It would be good to re-run this study for 2019.
>
> Shumon.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf




More information about the dns-operations mailing list