Michael StJohns <m...@nthpermutation.com> wrote:
>
Interesting thoughts, thanks. I have a slightly different starting point,
which doesn't disagree with your argument, but leads to somewhat different
consequences.
> Proposition 1 (P1): The initial selection of a root of trust (ROT) on behalf
> of a validator ALWAYS involves a human in the loop. It may not be obvious
> which human(s), but it is always the case someone (not a computer) decided.
> The selector may be the person configuring the validator or the set of people
> who compile the code with the validator, or linux distribution manager, but
> the initial selection always involves a judgement call of some sort by a
> human. In many cases, this is a judgement call is based on external
> information (like widespread publication of the ROT information or multiple
> third party endorsements (e.g. reputation evaluation)).
I think it should be possible to automate this judgment call, given a
suitable distributed publication/endorsement mechanism. This is the point
of my trust anchor witnesses draft. The HITL doesn't select the trust
anchor directly, but instead selects the witnesses.
> Proposition 4 (P4): The compromise of a singleton ROT (or more generally of
> all ROTs) leading to the "no trust" condition, requires repeating the "initial
> root of trust selection process". From the point of view of the validator,
> this is almost always a manual action either directly to the validator (manual
> configuration update, manual firmware update), or indirectly through a
> validators control point (e.g. pushed by a NOC).
With multiple trust anchor witnesses, a validator can survive the
compromise of a witness (or a witness ceasing operations, or multiple
witness failures) if it requires a large enough quorum when setting up or
recovering a trust anchor, and enough working witnesses remain. No need
for a HITL in these cases.
Loss of all witnesses should be extremely unlikely!
> Corollary 3 (C3): If P4, C1 and P1 are true, simply moving the ROT from the
> DNS Root Trust Anchor set to one or more CA ROTs does not mitigate against ROT
> compromise, it only moves the responsibility for mitigating the problem from
> the DNSSEC system to the CA system.
Right.
My idea is different because witnesses are not individually trusted: only
a quorum is enough to establish trust. A compromised witness is basically
equivalent to an unavailable witness (unless the compromise is as big as
the quorum!)
The aim is to disperse trust, not to move it around.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Biscay, Fitzroy, Sole: West or northwest 5 to 7, increasing gale 8 at times.
Rough or very rough, occasionally high later in west Fitzroy. Rain or thundery
showers. Good, occasionally poor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
