[dns-operations] DNSSEC deployment incentives

Phillip Hallam-Baker phill at hallambaker.com
Wed Jun 19 16:42:08 UTC 2019

On Wed, Jun 19, 2019 at 10:33 AM Shumon Huque <shuque at gmail.com> wrote:

> On Wed, Jun 19, 2019 at 9:01 AM Phillip Hallam-Baker <
> phill at hallambaker.com> wrote:
>>> > And BTW: If we count trust roots the way that the EFF did, DNSSEC has a
>>> > million trust roots (or however many zones are signed) not one. It was
>>> an
>>> > utterly bogus comparison.
>>> This is in turn a false analogy.
>> No, the analogy is exact, The DFN root also constrained the sub-CAs so
>> that they could not issue an arbitrary certificate. This was pointed out to
>> the EFF, they chose not to correct.
> Hi Phil,
> Can you provide a pointer to this EFF study?

It is cited in the paper you list, it was from 2010 though.

> The study that most people cite is this one by the University of Michigan
> from IMC, 2013:
> https://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
> Admittedly, it's a bit dated, and I'm sure CT etc have improved things
> some, but this paper does not paint a pretty picture.

The use of name constraints was not practical until relatively recently due
to the legacy browser issue. But CABForum was already established at that
point and the authors could have approached people and found out why the
operational decisions were made as they were. But they had the story they
wanted to tell.

The fact is that (with some exceptions that had already been stamped out by
that time) even without name constraints, commercial CAs did not issue
unconstrained subordinate CA certs for signing keys not covered by a full

"However with only 20% of the organizations controlling signing
certificates being commercial certificate authorities and less than 25% of
commercial authorities participating in the workgroup, there remains a

Bullshit, there is no such thing as controlling a signing certificate, the
only thing that can be controlled is the signing key. At the time the paper
was written, at least 95% of the signing keys were held by commercial CAs.
And of the 75% of commercial CAs that don't participate in CABrowser forum,
most are not actually operating at all being CAs that are either in startup
mode or were started and not progressed.

> They find ~ 1800 distinct CAs including root CAs and sub-CAs issued to
> organizations, controlled by 683 distinct organizations. Only a tiny
> minority of the sub-CAs actually had a Name Constraints extension, so most
> of them were in effect unconstrained in their ability to issue. (Let's
> disregard for the time being that the observed Name Constraints were not
> marked 'Critical', so were in effect optional for relying party software).

They were constrained by the private key being held by the root CA.

No university that was part of the DFN network had the ability to sign
certificates for anyone. The private key for every sub-CA was held by DFN.
Which they confirmed after the original EFF study but the EFF chose not to
make a correction despite knowing that their claim of 1800 sub-CA signers
was incorrect by at least 650.

Have the findings in that paper been challenged or debunked? If so, I
> haven't seen it. It would be good to re-run this study for 2019.

It would be interesting to see how the numbers have changed now that
CABForum has new requirements on Sub-CAs and that browsers have to accept
ECC certs. making proper processing of path constraints viable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190619/219314df/attachment.html>

More information about the dns-operations mailing list