You are confusing attack surface with vulnerability.  Without getting
into technology specifics, if A .and. B must be successfully attacked in
order to cause a problem, then having two systems can only reduce the
vulnerability even though there are more places to attack.

If the problem is availability, then the best strategy is redundancy -
use multiple sources for a single information item.  If the problem is
integrity, the best strategy is diversity - use different sources for
different information items.  If either source gives the wrong answer
you fail, but fail safely.  (Redundancy and diversity can be combined of
course, but then combining rules such voting thresholds have to be
specified). 

For the DNS/PKI case, if A is an IP address for a dnsname and B is a
public key for a dnsname, then it is necessary to attack the sources of
A and B in order to successfully spoof a named server.  If A and B come
from the same system (e.g., DNS) it is necessary to attack only that
system.  If they come from different systems (DNS and PKI) then it is
necessary to attack both.  Attacking only one may cause an availability
failure, but not an integrity failure.

Dave


-----Original Message-----
From: pkix-boun...@ietf.org [mailto:pkix-boun...@ietf.org] On Behalf Of
Ben Laurie


If I deploy the DNS solution, stating that DNS is authoritative, then
my attack surface now excludes all CAs. How is that an increase in
attack surface?

Contrast with today's situation, where my attack surface is increased
on a regular basis by the introduction of new CAs, without any
consultation with me at all.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to