On Thu, Apr 7, 2022 at 5:45 AM Masataka Ohta <
[email protected]> wrote:
> As I wrote:
>
> >> Such an individual would have to get access, create the records, give
> >> them to others, who then have to on-path attack you. At the TLD level
> >> and higher, this involves HSMs and physical access restrictions using
> >> a “four eyes minimum” approach.
>
> > Not surprisingly, diginotar was equally strongly secure.
>
> Are there anyone who still think DNSSEC were cryptographically secure
> or had protected TLDs more securely than diginotar?
>
I'm not sure why "thinks" enters into the conversation.
Nobody is entitled to their own facts, only their own opinions.
The facts are what matters here:
- Each TLD has its own specific infrastructure, practices, etc.
- Not all TLDs are equivalent for purposes of comparison of relative
security (to each other or when compared to corresponding CA
infrastructure
and practices)
- Each TLD is a monopoly for the purposes of DNSSEC. The TLD operator
has exclusive control over the delegations (including DNSSEC components) to
registrants.
- Registrants choose the TLD to use when they register a domain
- Modulo the restrictions applicable to specific TLDs, the available
choices of TLD are substantial
- Each CA (including diginotar) is not a monopoly. Any CA can issue a
certificate for any domain name.
- Each CA has its own specific infrastructure, practices, etc.
- Not all CAs are equivalent for purposes of comparison of relative
security (to each other or when compared to corresponding TLD
infrastructure and practices)
Taking these facts into consideration, the following assertions are clear
consequences:
- Some CAs MAY have stronger infrastructure and practices than some TLDs
- Some TLDs MAY have stronger infrastructure and practices than some CAs
- It MAY be the case that some TLDs have infrastructure and practices
that are not exceeded by those of any CA
- Rephrased: some TLDs >= all CAs (which includes the boundary
condition of "some TLDS == some CAs" without explicitly claiming that set
is non-empty)
- An attacker who wishes to compromise a domain via a WebPKI
certificate, can choose which CA to use for this purpose
- An attacker who wishes to compromise a domain via DNSSEC delegation,
cannot choose which TLD to use for this purpose
Taken together, this means that as long as there exists any CA which is
weaker than some TLD, that automatically means that as a global system,
DNSSEC is more cryptographically secure than WebPKI.
And, given the facts regarding diginotar, this means that as a system,
DNSSEC is more cryptographically secure than diginotar.
QED
Registrants get to choose the TLD. Once that decision has been made, the
attacker has no alternatives to that TLD in terms of what would need to be
compromised to affect that specific domain.
The same is not true of CAs. Any CA being compromised places every domain
(regardless of TLD) in jeopardy, if the only protections on certificates
are those currently employed (e.g. CT, CRLs, OCSP).
If/when DANE (TLSA records) are used to improve certificate validation, the
choice of CA for the attacker to compromise is removed from the equation.
Brian
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
