[83948] in cryptography@c2.net mail archive
RE: DNSSEC to be strangled at birth.
daemon@ATHENA.MIT.EDU (Dave Korn)
Sat Apr 7 12:07:46 2007
From: "Dave Korn" <dave.korn@artimi.com>
To: "'Paul Hoffman'" <paul.hoffman@vpnc.org>,
<tls@rek.tjls.com>
Cc: <cryptography@metzdowd.com>
Date: Sat, 7 Apr 2007 11:42:26 +0100
In-Reply-To: <p06240830c23b38229ff2@[10.20.30.108]>
On 06 April 2007 00:50, Paul Hoffman wrote:
>> because, with it, one can sign the appropriate
>> chain of keys to forge records for any zone one likes.
>
> If the owner of any key signs below their level, it is immediately
> visible to anyone doing active checking.
Only if they get sent that particular forged DNS response. It's more likely
to be targeted. DHS man shows up at suspect's ISP, with a
signed-below-its-level dns record (or a whole hierarchy of normally signed
records) to install on just their servers and perhaps even to serve up to just
one of their customers. Nobody else gets to see it.
>> Plus, now that applications are keeping public keys for services in
>> the DNS, one can, in fact, forge those entries and thus conduct man in
>> the middle surveillance on anyone dumb enough to use DNS alone as a
>> trust conveyor for those protocols (e.g. SSH and quite possibly soon
>> HTTPS).
>
> ...again assuming that the users of those keys don't bother to look
> who signed them.
I think that's a safe assumption. How are these users meant to "look"?
Little lock-icon in the status bar?
> Because I believe that ISPs, not just security geeks, will be
> vigilant in watching whether there is any layer-hopping signing and
> will scream loudly when they see it. AOL and MSN have much more to
> lose if DHS decides to screw with the DNS than anyone on this list
> does.
Can I point out that large telecomms corporations have been making a habit
of silently acquiescing to whatever illegal and spuriously-motiveated requests
the DHS or anyone else invoking the magic words "war on terror" is capable of
dreaming up?
> Having said that, it is likely that we will be the ones to
> shoot the signal flares if DHS (or ICANN, for that matter) misuses
> the root signing key. But it won't be us that causes DHS to stand
> down or, more likely, get thrown off the root: it's the companies who
> have billions of dollars to lose if the DNS becomes untrusted.
We already had this with PKI and SSL, and it basically failed. Works fine
on a small scale in a tightly-disciplined organisation; fails totally to scale
to Joe Internet-User.
cheers,
DaveK
--
Can't think of a witty .sigline today....
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
