[ksk-change] Action #4 - Review Joe Abley's Internet Drafts

Joe Abley jabley at hopcount.ca
Fri Oct 17 22:20:57 UTC 2014

On 17 Oct 2014, at 16:55, Warren Kumari <warren at kumari.net> wrote:

> echo -n '. '; wget -q -O -
> https://data.iana.org/root-anchors/Kjqmt7v.crt <https://data.iana.org/root-anchors/Kjqmt7v.crt> | openssl x509 -text
> -inform der| grep 'Subject:' | cut -d ' ' -f16- > root.anchor
> Now can I have a cookie?

You can if you can explain what your trust on the retrieved Kjqmt7v.crt file is based on, and how you came up with that filename. Also, I'm taking five points off your score for using wget instead of curl, but that's just because I'm unreasonable.

Unless you skipped to the end, your trust in that certificate is based on trust in whatever CDN ICANN is using for data.iana.org <http://data.iana.org/> (which you don't know, don't pretend you looked) and the TLS (or, let's be pessimistic, SSLv3) that was negotiated between your wget and the CDN's servers. This doesn't smell very good to me, and I think we can aim higher.

> (Needlessly snotty, passive aggressive way of pointing out that the
> technique in the draft is simple enough that many folk may be doing
> this without an "implementation")

The intention was that you would be able to find many certificates on data.iana.org <http://data.iana.org/>, and that you would keep looking until you found one with a valid signature chain back to a certificate you actually trust (e.g. a code-signing cert used for software updates, etc).

The signature in the cert you retrieved was made by a proof-of-concept IANA CA which properly ought to be trusted by nobody. The PGP detached PGP and S/MIME signatures in that directory are similarly untrustworthy.

What was envisaged was that DNSVendor, Inc. would make arrangements with ICANN to retrieve a trusted copy of the CSR containing the root zone trust anchor set and sign it according to their normal certificate management practices with a key that client software has a means to trust, and publish the resulting certificate on data.iana.org <http://data.iana.org/> along with similar certificates from NameVendor, Inc. and anybody else who has a need to distribute software to bootstrap trust in DNSSEC.

This has been poorly communicated, or there is no interest, or there is some other reason why this has not happened.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141017/32ac1db3/attachment-0001.html>

More information about the ksk-rollover mailing list