[27248] in cryptography@c2.net mail archive
Re: Status of opportunistic encryption
daemon@ATHENA.MIT.EDU (Thomas Harold)
Sun Jun 4 13:26:25 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 04 Jun 2006 11:03:35 -0400
From: Thomas Harold <tgh@tgharold.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <447CCDB5.1060704@echeque.com>
James A. Donald wrote:
>
> Attacks on DNS are common, though less common than other
> attacks, but they are by scammers, not TLA agencies,
> perhaps because they are so easily detected.
>
> All logons should move to SRP to avoid the phishing
> problem, as this is the most direct and strongest
> solution for phishing for shared secrets, and phishing
> for shared secrets is the biggest problem we now have.
>
> Encrypting DNS is unacceptable, because the very large
> number of very short messages make public key encryption
> an intolerable overhead. A DNS message also has to fit
> in a single datagram.
>
IIRC, from following the development of SPF (which uses rather lengthy
DNS data records). A DNS message that fits inside of a single datagram
can be sent via UDP, but if it spills over, the DNS server has to setup
a TCP connection.
So longer DNS messages are allowed, but they are either expensive (TCP
vs UDP) or not supported by all implementations?
(Did I get that right?)
I do suspect at some point that the lightweight nature of DNS will give
way to a heavier, encrypted or signed protocol. Economic factors will
probably be the driving force (online banking).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
