On Fri, Nov 15, 2013 at 9:30 AM, Ralf Skyper Kaiser <sky...@thc.org> wrote:
> No. The user has to trust ALL keys and not just the single ROOT KEY. The > user has to trust: > 1. The key was generated securely (enough bits, good primes, ...) > 2. A good RNG was used (hi debian! Thanks for a bad RNG). > 3. The key is not leaked (on purpose) by _any_ of the admins in the domain > chain > 4. The key is stored securely and not stolen > 5 . ...This list is incomplete...and goes on and on. > > Excellent... So we'll run through a first-time connect without DANE, and with just pinning. > Maybe this example gives a better idea: > User in Iran. Jabber admin sets up a jabber server at > myjabberserver.my-university.ir. > > OK. So no change here. > The user has to trust ROOT (domain "."). ROOT is ultimately geopolitically > aligned with the US. > > Again, no change. Still got the trust the DNS, after all. Of course, Iran could run their own root, and frankly nobody would know without DNSSEC. So it's really hard to tell if the root you're querying is actually the one geopolitically aligned with the US or not. > The user has to trust .IR. That's ultimately the Iranian government. > > So here's a thing - this assumes the user is also in Iran. But without DNSSEC, you have to trust both your local authority and the domain owner. In your scenario, though, they're the same thing, so we can skip this, right? > The user has to trust MY-UNIVERSITY.IR (which is ultimately aligned with > Mr. Khomeini) > > Likewise... Though I'm pretty sure Khomeini hasn't been around for a while. > The user has to trust MYJABBERSERVER.my-university.ir which is the actual > jabber server admin. > > OK. Small note there, actually. You also have to trust any authority over your IP connectivity at this point, plus spoofing DNS is relatively easy without DNSSEC, so you're basically trusting *everyone*. Which just makes you a nice guy, right? Can I borrow €1,000? > <SARCASM> > That really sounds like a great idea! Unless of course > > 1. You are a gay person in Iran > 2. An Atheist in Saudi Arabia (or a women) > 3. Leonardo da Vinci and dare to suggest that the earth is round > 4. A black person wishing to sit in the front row of a bus > 5 ... > </SARCASM> > > Typically, sarcasm is used to posit something that is clearly the opposite of what you intend, by the way. Aside from "That really sounds like a great idea", I'll assume that the remainder of the argument you state above is, you believe, valid. > DANE does not protect any of the above people. > > It protects them significantly better, and from a greater number of attacks (and attackers), than self-signed certificates and pinning-only. > DANE just does not cut it. Not in a Post-Prism world. > > I have *no* idea what Prism has to do with this. Really. The only thing you need to defeat pervasive surveillance alone, which is a fundamentally untargetted attack, is to deploy some kind of encryption. ADH is fine for that. We're trying to solve an authentication problem. > Certificate Pinning does. > > Ah, but wait, because there's two additional steps you've skipped. With DANE, the user's client now knows something important - assuming it can trust the relevant delegation points, of course - it knows the address (via DNSSEC) and it also knows what to expect from the certificate (the CA, or certificate itself). These are good and useful things to know. With pure pinning and self-signed certificates, it knows nothing it can trust. It cannot trust the IP address, nor the certificate. Your argument is that a user should then trust these anyway, and bootstrap from there. The trouble is the attacker has much more scope to mount the initial attack, and once done it's fairly nicely self-sustaining - in fact, if they stop the attack, it'll appear as if the legitimate server is the attacker. I have no clue how to extricate the user at this point. I don't think anyone would claim that DANE is utterly proof against any form of attack, but your argument seems to be that because it's not perfect, we should instead use something worse. Critically, the argument "but nobody will attack the initial connect, it works with SSH" is entirely flawed, as every attack possible is magnitudes harder with DNSSEC and/or DANE. Also, you're welcome to use pinning *and* DANE. If you can figure out what takes precedence in the case of a mismatch. Dave.
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
