You are confusing attack surface with vulnerability. Without getting into technology specifics, if A .and. B must be successfully attacked in order to cause a problem, then having two systems can only reduce the vulnerability even though there are more places to attack.
If the problem is availability, then the best strategy is redundancy - use multiple sources for a single information item. If the problem is integrity, the best strategy is diversity - use different sources for different information items. If either source gives the wrong answer you fail, but fail safely. (Redundancy and diversity can be combined of course, but then combining rules such voting thresholds have to be specified). For the DNS/PKI case, if A is an IP address for a dnsname and B is a public key for a dnsname, then it is necessary to attack the sources of A and B in order to successfully spoof a named server. If A and B come from the same system (e.g., DNS) it is necessary to attack only that system. If they come from different systems (DNS and PKI) then it is necessary to attack both. Attacking only one may cause an availability failure, but not an integrity failure. Dave -----Original Message----- From: pkix-boun...@ietf.org [mailto:pkix-boun...@ietf.org] On Behalf Of Ben Laurie If I deploy the DNS solution, stating that DNS is authoritative, then my attack surface now excludes all CAs. How is that an increase in attack surface? Contrast with today's situation, where my attack surface is increased on a regular basis by the introduction of new CAs, without any consultation with me at all. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
