[BOSH] Trust chains and DNSSEC

Thu, 19 May 2011 03:16:11 -0700 

On Wed May 18 19:03:58 2011, Glenn Maynard wrote:
There also seems to be a fundamental issue with depending on DNSSEC when also depending on TLS certificates: there are two separate trust chains. With TLS, root CAs have to be trusted; with DNSSEC, DNS registrars have to be trusted. By not trusting DNS, an entire chain of trust is avoided. 

That's not entirely accurate.


DNSSEC relies on trusting IANA; there is one single Trust Anchor for  
the entire DNS (DLV aside, anyway). But the trust only extends to  
trusting the records; you might be assured that the record you  
receive really is from example.org, for example, but there's no  
telling who example.org *is*.



X.509 certificates rely on having a common Trust Anchor - in effect.  
There are ways of reducing the problem of multiple trust anchors  
(such as cross-certification of CAs), but in an internet setting at  
least these are little used. However, X.509 certificates can tell you  
a significant amount *more* than the domain name involved; the  
extended validation fields, for instance, tell you a company name.



At least one approach to authentication relies on both. The idea is  
to use DNSSEC to locate certificates - largely ignoring the domain  
name information within - but to use the CAs to provide extended  
validation above and beyond mere domain-name validation.


So, back to the point.


I suspect that if the discovery points to evil.org, we'd use evil.org  
as the authorization identifier to locate in the certificate. This is  
indeed unfortunate, and relies on a secure (ie, DNSSEC) SRV/TXT  
pointer to evil.org.



But in practise I'm not sure what more we can hope for - the domain  
name validated by a browser-based BOSH client will be selected by the  
browser. The solution there would be to add an additional record that  
can then be used for validation, so we'd have:



_xmppconnect IN TXT  
"_xmpp-client-xbosh=https://bosh.jabber.org:5280/bind";

_xmppconnect IN A 172.16.37.54
_xmppconnect IN AAAA fe80::1


And browsers then ignore the hostname supplied by the _xmppconnect  
TXT record and instead use (and therefore validate) the _xmppconnect  
address record, which should essentially work. It *is* quite  
certainly a hack, though, and I'm quite sure this isn't a finished  
solution.


Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
 - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
 - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade






















					Reply via email to