Novel Certificate Environments and DNSSEC

Shared by: pluggone
Tags
Novel Certificate Environments and DNSSEC, Ed Lewis, real problems, root CA certificates, database environment, accounting system, database administration, application programs, Internet security, Cricket Liu
Stats
views:: 10
posted:: 2/11/2009
language:: English
pages:: 10
Public Domain
Document Sample
							Novel Certificate Environments and
              DNSSEC

       Jon Peterson (via Ed Lewis)
                NeuLevel
              April 5, 2005
DNSSEC and ("vs.") Certificates?


• Thus far, DNSSEC adoption has been slow
   – Does it solve real problems?
   – Do customers want it?
   – How will it be financed (by registries/registrars)?
• Most real Internet security today relies on
  certificates
   – What is the impact of DNSSEC on certificates?




                              2
The Purpose of Certificates

• Certificates provide:
   – A binding between a domain name and a set of keying
     material
• Thus, certificate authorities must verify
  namespace ownership
   – As a business requirement, they must do so quickly
   – Many do so through simple DNS-based verification
     schemes
   – Enrollment is the greatest challenge for the certificate
     business


                              3
The Business Model for Certificates


• Today, certificates come embedded in web
  browsers
  – Most charge some fee for inclusion of root CA
    certificates in distributions of their browser
• Certificates are then sold to businesses and
  other end users by the CA
  – Oftentimes coupled with domain name sales
• Certificates today are mostly used by browsers



                            4
Domain-based Internet Applications


• The names used in the web (http://www.host)
  are URIs rooted in domains
• Email (uses hostnames)
• VoIP has several dependencies on hostnames
  – Because of enrollment problems, certificate usage
    today has not caught on for user-to-user applications
    like email and VoIP




                            5
Leveraging DNSSEC for the Web

• DNSSEC will be used to make decisions about
  higher-layer applications
  – Connecting to a web site, one verifies the DNS first
  – Other higher-layer security decisions may also be
    predicated on the presence of DNSSEC
• Why is e-commerce secure (at a protocol level)
  today?
  – "Name match": The URL of the website is compared
    to the certificate returned by a TLS connection to the
    website


                            6
DNS and Email Authentication


• In the IETF, the MASS effort targets email
  authentication
• Yahoo! DomainKeys
• Cisco Identified Internet Mail (IIM)
• Both approaches currently rely on the inherent
  security of the DNS
  – Both approaches would be made more secure by
    DNSSEC



                         7
DNS and SIP


• Many VoIP requests established with SIP use
  telephone numbers
  – One can put keys in the DNS corresponding to the
    hostname of a SIP URI
• ENUM can be used to find keys corresponding
  to the owner of the namespace
  – ENUM provides a way of identifying the owner of the
    namespace via DNS
• DNSSEC makes both uses of DNS safer


                           8
Will DNSSEC Supplant Certificates?


• If you need keying material to verify DNS
  queries, can you reuse it at the application
  layer?
• What qualities do certificates provide that
  cannot be provided with DNSSEC?
   – Where there are, certificates will continue to be used
• DNSSEC protects more than what certs protect
  today
   – Increases the applicability of keys



                             9
Incentives for DNSSEC


• Revenue from security services
  – The money currently being spent on certificates will
    go somewhere
  – Selling DNSSEC as an add-on to existing DNS sales
    follows existing marketing practice
• There are operational costs of implementing
  DNSSEC
  – These could be reimbursed, with a profit, and still
    undersell the existing cert market




                            10
Related docs