W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Re: WebID-ISSUE-5 (bblfish): Follow Work in publishing keys in DNSSEC

From: <Pieter.Lange@os3.nl>
Date: Tue, 15 Feb 2011 22:29:48 +0100 (CET)
Message-ID: <49442.2001:610:72a:0:225:4bff:fea0:5c0e.1297805388.squirrel@webmail.os3.nl>
To: "Henry Story" <henry.story@bblfish.net>
Cc: public-xg-webid@w3.org
> Do you see how it could also be useful
> to bypass CAs, and so to allow self signed certificates to work?

The plugin is currently already able to make /direct/ certificate
associations (meaning: end certificate, no CA's or intermediaries
involved).
So yes. :-)

My example was just to emphasize the importance of the new standards. (Now
you have to use the same certificate/key material on your entire farm)
While I do think it is useful to _be able_ to make the certificate
associations without the involvement of a CA, i also think CA's have
provided a useful service and will continue to do so for a while. The most
powerful trust assertion can be made with a HTTPS host serving a CA-signed
certificate backed by a TLSA record in a DNSSEC signed domain.
Don't discount CA's just yet.

Pieter

> Can I forward this to the mailing list? Or if you want just re-send it to
> public-xg-webid@w3.org
>
> Btw, your example is for a server farm. Do you see how it could also be
> useful
> to bypass CAs, and so to allow self signed certificates to work? Or is
> there
> something that would not make that work?
>
> Henry
>
> On 15 Feb 2011, at 15:38, Pieter Lange wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>> I wonder what the relationship is between the Kaminsky format is, and
>>> what
>>> Dane is proposing. Anyway something to follow here too.
>>
>> You don't have to wonder; we link to both resources. We also took the
>> effort to document both methods (TLSA vs TXT) in their most basic form
>> here: https://os3sec.org/technicalbackground.html
>>
>> Basically it is two methods of publishing your certificate associations.
>> Kaminsky chose not to put entire certificates in DNS because he feels
>> they are too big.
>>
>> Both 'standards' (neither are a real standard yet) allow you to have a
>> serverfarm with individual keys for each server. TLSA does this by
>> allowing you to make a certificate association with a 'parent
>> certificate' or otherwise known as a certificate-signing certificate :).
>> (cert type 3/4)
>> Kaminsky does this by simply looking up a hash of the certificate in DNS
>> (prepending the hash to the hostname) and if ANY signed record exists,
>> the certificate is valid.
>>
>> We chose to also implement Kaminsky's TXT format because it is a nice
>> showcase for what is possible. The ability to make policies such as STS
>> known through DNSSEC is very powerful (and needed) and still missing
>> from the dane spec. I'm sure a decent solution for this will come from
>> the workgroup though.
>>
>> Pieter
>>
>> On 02/15/2011 02:19 PM, Henry Story wrote:
>>> News update. There is a Firefox extension for something very much along
>>> these lines,
>>> as Pieter Lange told me.
>>>
>>> On 15 Feb 2011, at 14:07, Pieter Lange wrote:
>>>
>>>> We recently finished* developing an addon for Firefox 4 beta that does
>>>> DNSSEC validation and pulls certificate associations from DNS in dane
>>>> and/or Kaminsky (TXT) format.
>>>>
>>>> See https://os3sec.org/
>>>>
>>>> Regards,
>>>> Pieter
>>>>
>>>> * Finished -> still development in progress, but it is somewhat
>>>> useable
>>>> at this point.
>>>
>>>
>>> I wonder what the relationship is between the Kaminsky format is, and
>>> what
>>> Dane is proposing. Anyway something to follow here too.
>>>
>>> Henry
>>>
>>>
>>> Social Web Architect
>>> http://bblfish.net/
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQEcBAEBAgAGBQJNWo//AAoJEEktCr9Rc+j0vKEH/RdrRS3cRfISf9fuxGG2zP8T
>> in1e0ecV2hHw4znCJgtDEY6PcDgSmXgZR4KyWvewVphR20cKz9ZBLrnAVWuwDm3G
>> FtlSBp9cD+gcensiIaYfaquvynf2iQ9SAwKTaoxqSz2+dZobvQH1/hIGb5h4Z/1h
>> uV4mkCek8AtJ792MVH7ZDnOlO3SKHQkYuvNNoyuRF2yw9+FZXCeULXulvVvAPsAL
>> OS0JPJTHTcxpAOtDMRv4BxWebZcFxwIUG0/dkxVKwQj9l54mEQchBXVF70DZCnTT
>> Nx0IvbrmsGsPDSH1oerq8Yn64awUNe/tQmTqzAHMvy3gCnBm3M7o0m6exIb6TCE=
>> =nog6
>> -----END PGP SIGNATURE-----
>
> Social Web Architect
> http://bblfish.net/
>
>
Received on Tuesday, 15 February 2011 22:36:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC