Sorry its taken me so long to get back to this.
On 3/31/2018 7:09 PM, Tony Finch wrote:
There are a few pertinent differences between trust anchor witnesses and
the undeployed RFC 5011 many-keys setup:
* in RFC 5011 each key is completely trusted, whereas no witness is
trusted; compromise of an RFC 5011 key compromises the whole system,
whereas compromise of a witness is equivalent to unavailability (up
to the quorum size);
* RFC 5011 requires close co-operation between key holders for updating
the DNSKEY RRset and its signatures, whereas trust anchor witnesses
* Part of the circular dependency loop is accurate time, and it's easy to
get trust anchor witnesses to tell you the time as well; not so easy
purely within the DNS.
* A 5011 trust system is maintained as part of the root zone - as long
as the root zone is maintained, the 5011 trust system is maintained.
* The "requires close cooperation" bullet is just wrong. It turns out
that the SPECIFIC mechanism they're currently using requires everyone to
show up in a certain place, but that's an artifact of process, not of
protocol. (Happy to sketch out a different protocol - its pretty
* But time also requires a source of trust - if you can spoof enough
witnesses, you can spoof time. In any event, time is irrelevant at the
system level- each relying party is responsible for figuring out its
source of time - in both systems.
One of the reasons I went away was to try and figure out how to
accurately analyze your approach.
Before you start down this approach, you need to figure out at least a
1) How many total witnesses? (Since you won't be maintaining the
system, these are all there ever will be)
2) How many of the witnesses are enough to assume trust?
3) How long do you want this system to work?
It turns out that the lifetime of an un-maintained M of N system has
exactly the same characteristics as a nuclear decay analysis. E.g. Given
a starting population of N, an ending population of M and a period of Y,
what is the half-life of the system? From the half-life of the system,
you can calculate the minimum average mean time to failure of any given
And its nice that there is this
So let's start out with a 3 of 10 system with a required lifetime of 20
years (240 months). The half-life of the system is 138.2 months and the
average required MTTF is 199 months or about 16.5 years. That means
that you have to expect that any given witness will be around and
available AT the place it was originally available at for around 17 years.
It gets better with more witnesses, say 3 of 15: 149 months or about
12.5 years MTTF. That's a bit better, but that's an average - you still
have to ensure that 3 of those systems will be around for the 20 years,
and you have to ensure they aren't compromised in the mean time.
But it gets worse if you increase the number of required witnesses - say
5 of 15 - 218 months or a required average MTTF of 18.2 years for that
set of 15 witnesses.
Now you could add a maintenance protocol, and the ability to add and
delete witnesses, but guess what - you end up looking like 5011, but
with the problem of how to manage the trust set of the trust set.
This reminds me of the "Turtles all the way down" recursion.
DNSOP mailing list