[Certsanddns] [SPAM] Expression of Interest

Wilhelm, Richard Richard.Wilhelm at networksolutions.com
Mon Jan 10 15:21:53 MST 2011 

Hello,

I¹m interested in attending this meeting.

Name:  Richard Wilhelm

Organization:  Network Solutions

Background:   I serve as VP Engineering at Network Solutions (since 2008).
I am an active member of the ICANN SSAC.  Prior to joining Network Solutions
I spent 7 years at NeuStar, where I held roles in software engineering,
operations, and corporate technology strategy, with a focus on its domain
name registry business.  In that role, I was responsible for some of the
first trials of EPP modifications for provisioning DNSSEC data.

Expression of Interest:  Network Solutions is a large domain name registrar
with a broad customer base that is focused on small businesses.  We also
sell digital certificates and operate hosted ecommerce solutions.  We are
participating in the evolutionary deployment of DNSSEC and are interested in
developing business models around it that broaden its appeal in the market.

I can be reached by email at this address or by phone (mobile:
703-283-8457)

Thanks,

Rick


------ Forwarded Message
From: Thuy LeDinh <tledinh at pir.org>
Date: Wed, 5 Jan 2011 22:30:49 -0500
To: James M Galvin <jgalvin at afilias.info>
Subject: Wed 26 Jan 2011 - Meeting on Possible use of DNSSEC and X.509v3
certificates in combination

Dear Colleagues,
 
The CA/Browser Forum and the DNSSEC Coalition are holding a joint expert
meeting to discuss the possible use of DNSSEC and X.509v3 certificates in
combination, as outlined in the note following this announcement.
 
  The meeting will be held at:
  PayPal Inc.,
  9999 N. 90th Street,
  Scottsdale,
  AZ 85258.
 
  Starting at 1:00 PM local time on the Wed 26 Jan 2011.
 
Those interested in attending should forward a request to the organizing
committee at: certsanddns at cabforum.org containing the following information:
 
1. Name,
2. Organization,
3. Brief background and expression of interest.
 
Please submit by 10 Jan 2011.  Those selected to attend will be notified by
14 Jan 2011.
 
Applicants should be aware that attendance is limited to 30 people. So, it
may not be possible to accommodate all those who express an interest in
attending.
 
The Organizing Committee comprises:
Jim Galvin, Afilias
Phillip Hallam-Baker, Comodo
Ryan Koski, Go Daddy
Tim Moses, Entrust
Yngve Pettersen, Opera
Andy Steingruebl, PayPal
Ben Wilson, DigiCert
 
 
Background
There has been important progress in the deployment of DNSSEC in the past 12
months.  And there is now a reasonable expectation that most DNS TLDs will
be signed within the next 12 months.
 
The question of how to deploy DNSSEC, and whether deployment is feasible,
has opened up an opportunity to consider how DNSSEC will be used in
practice.  It would be a remarkably poor use of time and resources, for
instance, to deploy an infrastructure as complex as DNSSEC only to deflect
spoofing attacks from the DNS infrastructure to the BGP infrastructure. And,
while providing an alternative to the existing market for the Certification
Authority infrastructure that has been established over the past 15 years
may be one use of DNSSEC, it is not the only (or even the best) use that can
be made of it.
 
Now that DNS registrars are at the point of deployment, questions about the
DNSSEC business model cannot be ignored any longer. The registrars are being
asked to make a substantial investment to support DNSSEC. And, in order to
justify that investment, most will expect to demonstrate benefits to their
customers that are concrete and immediate.
 
DNSSEC is a PKI. Certification Authorities are in the business of deploying,
managing and marketing PKIs. DNSSEC offers capabilities that the X.509v3
model does not.  And, X.509v3 is designed to support use cases that DNSSEC
is not. Certification Authorities are also the traditional partners that DNS
registrars have relied upon to fulfill their customers¹ existing PKI needs.
 
There are many potential benefits of combining the X.509v3 and DNSSEC
models. DNSSEC provides a key-validation mechanism that is directly tied to
the Internet naming system: the DNS. X.509v3 provides support for Trusted
Third Party services, including assurance that the key-holder is a
legitimate business entity, has authorized the issuance, and can be held
accountable.
 
The practices and liability model of DNSSEC is (at best) incompletely
documented, while X.509v3 provides a liability model that is designed to
control risk exposure in multi-million dollar electronic contracts.
 
Each infrastructure offers capabilities that the other does not. We can
either attempt to grow one infrastructure to encompass the other, or we can
use both in combination. Important areas of potential benefit include:
 
Security Policy
The security of SSL would be significantly improved if there were a means of
ensuring that clients select the strongest level of security available for a
site. While HSTS 'strict security' offers this service after first contact,
DNSSEC has the potential to offer it on every contact.
 
Certification Authority Authorization
One of the biggest challenges facing a Certification Authority is avoiding
certificate mis-issuance. Mis-issuance events can damage a CA brand for
decades, and have led some to assert that the security of the SSL PKI is
determined by the issuance practices of the weakest, most negligent, CA in
the browser trust store. CAA is a proposal that uses DNS records to specify
which CAs are authorized to issue for a given domain, thereby preventing
this form of downgrade attack.
 
Strong Wildcards / Ubiquitous Keying
Wildcard certificates have proven benefits for certain purposes.  But the
lack of a direct binding to the actual end-entity domain name remains
somewhat unsatisfactory. Combining wildcard certificates with DNSSEC may
allow this limitation to be overcome.
 
Lifecycle Management
As with any PKI, DNSSEC requires support infrastructure for key lifecycle
management. PKI vendors already provide and maintain infrastructures to
manage the lifecycle of the cryptographic keys. Most enterprises will be
best served by one infrastructure that can manage keys for both X.509 and
DNSSEC.
 
Liability control
Early attempts to establish X.509v3 PKI were frustrated by the lack of
consideration for the liabilities that issuing parties incur by signing
public-keys for unspecified purposes. DNSSEC lacks the sophisticated
controls that have been developed to control and mitigate such liabilities.
But, ignoring a legal issue does not cause it to go away.  In particular,
DNSSEC does not allow a key-signer to specify: the practices under which the
key was validated, the intended field of use, or what relying party
expectations are reasonable. Simple measures would allow the existing
features used to mitigate litigation risks in X.509v3 to be applied in the
context of DNSSEC.
 
Realizing these potential benefits represents a multi-party action problem.
While it is easy to propose technical standards to implement such measures,
realizing the benefits is only possible if there is common interest in
establishing a business infrastructure to support them. Infrastructure is
useless without applications that use it, just as applications are useless
without the infrastructure upon which it was built to rely.
 
 


 
.ORG, The Public Interest Registry
Mobile:+1 703-929-6395  |  www.pir.org <http://www.pir.org/>  |
 
Find us on Facebook <http://www.facebook.com/pir.org>   |  .ORG Blog
<http://www.pir.org/orgbuzz>  | Flickr <http://flickr.com/orgbuzz>  |
YouTube <http://youtube.com/orgbuzz>  | Twitter <http://twitter.com/ORGBuzz>
|
 
Confidentiality Note:  Proprietary and confidential to .ORG, The Public
Interest Registry.  If received in error, please inform sender and then
delete.
 


------ End of Forwarded Message

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/certsanddns/attachments/20110110/59938b6e/attachment-0001.html

More information about the Certsanddns mailing list