DNSCurve is fine, but we can also just continue assuming the DNS is insecure and pushing security out to the endpoints, where the End To End Argument says it belongs anyways.
You seem to have a clear idea of how TLS+TACK solves this issue but you're not articulating it, just giving laconic answers. As far as I can tell TACK doesn't solve the first connection problem:
"The big drawback of the TACK mechanism is that, like other client-side key-pinning methods, it does not protect the user against a man-in-the-middle (MITM) attack during the very first connection attempt to the remote server."
So as far as I can tell even in a TLS+TACK world if your initial connection is to http://mail.mydomain.com anyone that controls the DNS has you and if you connect to https://mail.mydomain.com it's anyone that controls a rogue CA. This is exactly the same situation of TLS without TACK, no?
TLS+TACK doesn't solve the first connection problem if you stipulate a corrupted CA PKI. But the difference between the CA PKI and the DNSSEC PKI is that you have to stipulate that the CAs are corrupt; the DNSSEC PKI is corrupt by design.
Meanwhile: the CAs are financially disincentivized from going rogue, because Mozilla and Google will remove them from the trust store if they do stupid things.
What dynamic pinning plus CAs buys you, on top of key continuity that corrupted CAs can't break, is surveillance: an entity that can get bogus certificates issued can't assume they can do it undetected, because those certs will almost immediately break on someone's pin.
>TLS+TACK doesn't solve the first connection problem if you stipulate a corrupted CA PKI.
Don't you think it's a reasonable assumption that the NSA controls at least one CA?
>the DNSSEC PKI is corrupt by design.
That's interesting, have any pointers as to why? With the current model any CA can vouch for any site (hence the need for pinning), with DNSSEC only the CA that controls .COM can issue fake certificates for EXAMPLE.COM. I don't understand how that doesn't make the potential attacks strictly less.
>What dynamic pinning plus CAs buys you, on top of key continuity that corrupted CAs can't break, is surveillance: an entity that can get bogus certificates issued can't assume they can do it undetected, because those certs will almost immediately break on someone's pin.
Right, and that's fine for mass attacks (which is important) and less than stellar for anything that's targeted. Plus there's nothing stopping you from implementing pinning+DNSSEC CA's, so that if the .COM CA starts issuing fake GOOGLE.COM certificates you catch him. At the same time RandomCAFromAntartica doesn't even get to try.
The USG owns the DNS roots. Or did you not notice the pirate sites with their logos replaced by the DOJ seal? They don't have to "corrupt" the DNS; it's already theirs to control.
We can stop arguing about DNSSEC though, because it is never going to happen. It's a stability disaster, an enormous administrative pain to manage, cryptographically weak, and requires domains to publish all their hostnames (private or not); see NSEC3 for the ludicrous hack the working group came up with to (badly) mitigate that problem.
You're postulating that the DNS is compromised. So you've already given up on the first connection and are relying on pinning only to raise red flags if someone does too broad an attack. With DNSSEC CAs only the .COM CA (USG compromised you say) gets to try to MITM. With the current system all CAs (compromised by USG and others I say) get to try to MITM. Pinning+DNSSEC seems strictly better than Pinning+ExistingCAs.
I am again baffled. If a CA issues a rogue certificate and, as is likely, is rapidly caught because 10 million people have an already-loaded pin for the real certificate, Google can nuke the CA from orbit. Google cannot nuke .COM.
How could a government-run PKI possibly be better than a network of crappy private companies? At least the companies have to respond to incentives.
Ok, now we're getting somewhere. Our proposed end-states for security are different:
You: TLS connections have a high likelyhood of being secure but they will be MITM'd by some CAs some of the time. We put mechanisms in place (pinning of individual certificates) to in the long run detect most of those attempts are disable those CAs.
Me: TLS connections are known to be secure to the people in the trust chain. (I trust my registrar, who trusts .COM, who trusts the root). No other parties can breach that trust. We put mechanisms in place (pinning at all levels) to detect misplaced trust (the USG creating a new certificate for .COM) and make a fuss when that happens.
If you have enough trust in the democratic process being able to control the chain of trust you'd go for my solution, if not you'd go for yours. It sucks that we live in a world where that choice isn't clear.
