[146755] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Ray Dillinger)
Sat Sep 7 16:33:57 2013
X-Original-To: cryptography@metzdowd.com
Date: Sat, 07 Sep 2013 12:54:04 -0700
From: Ray Dillinger <bear@sonic.net>
To: cryptography@metzdowd.com
In-Reply-To: <718DFA7882181D45B8BD18F31C46D55427B21BB2@MBX204.domain.local>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
>> First, DNSSEC does not provide confidentiality. Given that, it's not
>> clear to me why the NSA would try to stop or slow its deployment.
If it isn't, then you haven't considered its likely effects.
First of all, it makes CA's visibly redundant. If people stop using
CA's that multiplies the number of channels that must be compromised
in order to eavesdrop. Furthermore, it makes those channels parties
actually interested in the authenticity of the communications, such
as the companies whose keys are being authenticated. In short, it
means the NSA would have to deal directly with the people they want
to eavesdrop on. That makes reaching a covert deal to expose keys a
bit more difficult, I'm thinking.
Secondly, it is the case that a DNS cache poisoning attack is an
occasionally useful technique allowing attackers to access things
that some people would rather they didn't access. Such attackers
may or may not, apparently, include the NSA themselves, and if they
depend on that capability, then DNSSEC could be seen by them as a
threat against a useful channel for obtaining information.
Bear
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
