Hi Tony, DNSSEC is a step into the right direction. I do not dispute that and salute the jabber community for recognizing this.
DNSSEC reduces the risk of an active attack. DNSSEC does not eliminate that risk. On the client/user side this is not sufficient. DNSSEC wont give the user the security that he believes he is getting. (During the 2011-revolutions wrongly understood Internet security got people arrested, tortured or worse). Let me elaborate a bit further here why this is so important. Let me quote from "The Universal Declaration of Human Rights": DNSSEC does not change this. Only DNSSEC and pinning does. And in fact pinning alone I've drawn up example scenarios over and over. On Mon, Nov 18, 2013 at 3:39 PM, Tony Finch <d...@dotat.at> wrote: > Ralf Skyper Kaiser <sky...@thc.org> wrote: > > > > The user has to trust ALL keys and not just the single ROOT KEY. > > That's true, but the amount of trust you have to put in high-level DNSSEC > keys is relatively limited. DNSSEC is aware of zone cuts, and high-level > keys cannot authenticate domain names below a zone cut. The DNS also > caches a lot, so if an attacker tries to redirect part of the namespace > without obtaining the corresponding private keys, they will cause > suspicious validation failures at sites where the proper public keys were > cached. > > It would be nice to have something better than DNSSEC, but at least it has > a safer structure than X.509. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at > first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or > good, > occasionally poor at first. > _______________________________________________ > JDev mailing list > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: jdev-unsubscr...@jabber.org > _______________________________________________ >
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
