You are working on wrong assumptions. The DV certs are exactly as strong as your DNS is. You only need to attack DNS to issue a DV cert.
Ondrej Sury On 5.10.2010, at 18:32, "Kemp, David P." <dpk...@missi.ncsc.mil> wrote: > You are confusing attack surface with vulnerability. Without getting > into technology specifics, if A .and. B must be successfully attacked in > order to cause a problem, then having two systems can only reduce the > vulnerability even though there are more places to attack. > > If the problem is availability, then the best strategy is redundancy - > use multiple sources for a single information item. If the problem is > integrity, the best strategy is diversity - use different sources for > different information items. If either source gives the wrong answer > you fail, but fail safely. (Redundancy and diversity can be combined of > course, but then combining rules such voting thresholds have to be > specified). > > For the DNS/PKI case, if A is an IP address for a dnsname and B is a > public key for a dnsname, then it is necessary to attack the sources of > A and B in order to successfully spoof a named server. If A and B come > from the same system (e.g., DNS) it is necessary to attack only that > system. If they come from different systems (DNS and PKI) then it is > necessary to attack both. Attacking only one may cause an availability > failure, but not an integrity failure. > > Dave > > > -----Original Message----- > From: pkix-boun...@ietf.org [mailto:pkix-boun...@ietf.org] On Behalf Of > Ben Laurie > > > If I deploy the DNS solution, stating that DNS is authoritative, then > my attack surface now excludes all CAs. How is that an increase in > attack surface? > > Contrast with today's situation, where my attack surface is increased > on a regular basis by the introduction of new CAs, without any > consultation with me at all. > > _______________________________________________ > pkix mailing list > p...@ietf.org > https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop