[ih] DNS turtles, DKIM history, was IETF relevance (was Memories of Flag Day?)
Michael Thomas
enervatron at gmail.com
Wed Aug 30 15:03:05 PDT 2023
On 8/30/23 7:09 AM, John R. Levine via Internet-history wrote:
> On Tue, 29 Aug 2023, Michael Thomas wrote:
>>> I don't think I've ever seen the kind of attack that DNSSEC defends
>>> against in the wild, certainly not against DKIM records, so in
>>> practice it's secure enough. Perhaps by accident we made the right
>>> tradeoff. ...
>
>> So yes, it was a mistake. We could have a had a very secure solution
>> with proven and widely deployed technology with a pattern that could
>> be replicated in other solutions so that we did get complete messes
>> like STIR/SHAKEN and its use of x.509 when simple naked public key
>> use would have been completely sufficient. ...
>
> I don't disagree that the performance would be OK, but the certs seem
> like security theatre. Before LE, the usual way to get a cert signed
> was that you paid someone $5 and they emailed a link to
> hostmaster@<domain> that you clicked. With LE, either it's a token in
> a DNS record or on the web site's home page. If you're worried that
> hostile parties could fake the DKIM key record, they could as well
> fake the MX for the mail or TXT or A for the LE token. These days
> it's DNS turtles all the way down.
>
> It's certainly possible to have more secure models for cert signing
> but when's the last time you saw a green bar cert?
>
We used naked public keys in IIM. There was no need for a key/name
binding at all. With DK it was more or less fluff to bind a name to the
public key with the selector, but it didn't hurt anything. By certs, I
meant certs for the web server serving up the verification of the public
key's provenance. That's just normal web stuff.
For my part, I think that we should make new work prove to the security
area that they actually need to use certs at all. They are archaic for
conditions that just don't apply these days since everything is online
now which wasn't the case when they were first developed 40 years ago.
It's really unfortunate that the magical thinking about them still
persists to this day.
I wrote a post a while back about this:
https://rip-van-webble.blogspot.com/2021/03/certificates-confuse-everything.html
Mike
More information about the Internet-history
mailing list