Novel Certificate Environments and DNSSEC

1
Novel Certificate Environments and DNSSEC

• Jon Peterson (via Ed Lewis)
• NeuLevel
• April 5, 2005

2
DNSSEC and ("vs.") Certificates?

• Thus far, DNSSEC adoption has been slow
• Does it solve real problems?
• Do customers want it?
• How will it be financed (by registries/registrars)
  ?
• Most real Internet security today relies on
  certificates
• What is the impact of DNSSEC on certificates?

3
The Purpose of Certificates

• Certificates provide
• A binding between a domain name and a set of
  keying material
• Thus, certificate authorities must verify
  namespace ownership
• As a business requirement, they must do so
  quickly
• Many do so through simple DNS-based verification
  schemes
• Enrollment is the greatest challenge for the
  certificate business

4
The Business Model for Certificates

• Today, certificates come embedded in web browsers
• Most charge some fee for inclusion of root CA
  certificates in distributions of their browser
• Certificates are then sold to businesses and
  other end users by the CA
• Oftentimes coupled with domain name sales
• Certificates today are mostly used by browsers

5
Domain-based Internet Applications

• The names used in the web (http//www.host) are
  URIs rooted in domains
• Email (uses hostnames)
• VoIP has several dependencies on hostnames
• Because of enrollment problems, certificate usage
  today has not caught on for user-to-user
  applications like email and VoIP

6
Leveraging DNSSEC for the Web

• DNSSEC will be used to make decisions about
  higher-layer applications
• Connecting to a web site, one verifies the DNS
  first
• Other higher-layer security decisions may also be
  predicated on the presence of DNSSEC
• Why is e-commerce secure (at a protocol level)
  today?
• "Name match" The URL of the website is compared
  to the certificate returned by a TLS connection
  to the website

7
DNS and Email Authentication

• In the IETF, the MASS effort targets email
  authentication
• Yahoo! DomainKeys
• Cisco Identified Internet Mail (IIM)
• Both approaches currently rely on the inherent
  security of the DNS
• Both approaches would be made more secure by
  DNSSEC

8
DNS and SIP

• Many VoIP requests established with SIP use
  telephone numbers
• One can put keys in the DNS corresponding to the
  hostname of a SIP URI
• ENUM can be used to find keys corresponding to
  the owner of the namespace
• ENUM provides a way of identifying the owner of
  the namespace via DNS
• DNSSEC makes both uses of DNS safer

9
Will DNSSEC Supplant Certificates?

• If you need keying material to verify DNS
  queries, can you reuse it at the application
  layer?
• What qualities do certificates provide that
  cannot be provided with DNSSEC?
• Where there are, certificates will continue to be
  used
• DNSSEC protects more than what certs protect
  today
• Increases the applicability of keys

10
Incentives for DNSSEC

• Revenue from security services
• The money currently being spent on certificates
  will go somewhere
• Selling DNSSEC as an add-on to existing DNS sales
  follows existing marketing practice
• There are operational costs of implementing
  DNSSEC
• These could be reimbursed, with a profit, and
  still undersell the existing cert market