[Sovereign Keys] New and old domains and SKs

Sun Dec 18 15:47:33 PST 2011

My main area of concern with sovereign keys, as I have expressed to
Peter, is the danger of their use as a denial of service attack on sites
that are not aware of the SK system but get compromised.  The attacker
uses control of the site to generate an SK known only to him, and now
the site can be held for permanent ransom to this key, due to the
irrevocable nature of SKs.

(A second concern is loss of all copies of the SK, which in spite of how
diligent we make people be will still happen.)

I believe that without care, negative consequences of SKs will outnumber
the instances of avoidance of domain hijacking by those who can control CAs.

To wit:

a) It should be much harder to get an SK for a well established domain,
particularly one with high pagerank (pagerank can be queried.)  If one
gets an SK for such a domain, it should take time (at least a month)
before the key is irrevocable.

b) There should be short-term revocation schemes, which might well
involve CAs.  This allows somebody who controls a CA to revoke your SK
if it is fairly new, but the older it is, the harder it is.

c) Age should require use of the key, ie. not just how long since the
key was created but how long since it has been actively in use at the
targeted domain.   "In use" checks must not come from predictable
sources lest attackers make the domain appear to be in use only to the
SK test servers.

d) A browser plugin should be made available where a user can declare "I
wish to pay special attention to domains matching this pattern."  In
this event, any security events -- such as creation and use of SKs for
such domains, changes in certificates, reductions in TLS security levels
-- all generate special warnings.   Thus it is harder for attackers to
surprise you by playing games with your domain.   Strict warnings cause
false alarms for users and thus don't work, but being very strict on
domains you own yourself is a good idea.

e) Creation of an SK for highly valuable domains should involve several
out of band efforts to confirm with sysadmins, getting progressively
annoying.   (If they confirm immediately there is no problem.)  This
includes mail to contact addresses, as well as root/postmaster
addresses.    Confirmation should involve access to something beyond the
machine itself (an attacker can probably read mail on a machine etc.)
such as the DNS whois record -- changing it in some way.  Other possible
confirmations might involve control of a higher level domain if it's
clear that's not all hosted on the same machine -- though this is still
vulnerable to a full network takeover.

f) On the other hand, for a freshly created domain, the creation of an
irrevocable SK can be instant -- in fact it can be done as part of the
domain registration process with a registrar that supports this.

g) A protocol might be arranged so that another machine which is holding
an escrowed copy of your private key can confirm that it is doing so.
That way, when I create an SK, I can send it to the trusted escrower (or
a collection who only hold a fragment each and are in different
countries.)   I can report who my escrow agents are and they can be
queried to prove I really did escrow the key.   Or I can check a box to
say, "I am a fool, and am handling my own offsite backup of my key."