Hi Tony, DNSSEC is a step into the right direction. I do not dispute that and salute the jabber community for recognizing this.
DNSSEC reduces the risk of an active attack. DNSSEC does not eliminate that risk. DNSSEC in fact only marginally reduces this risk considering the real-world attacks that happened since 2011. On the client/user side this is not sufficient. DNSSEC wont give the user the security that he believes he is getting. (During the 2011-revolutions wrongly understood Internet security got people arrested, tortured or worse). Let me elaborate a bit further here why this is so important. Let me quote from "The Universal Declaration of Human Rights": "Whereas disregard and contempt for human rights have resulted in barbarous acts which have outraged the conscience of mankind, and the advent of a world in which human beings shall enjoy freedom of speech and belief and freedom from fear and want has been proclaimed as the highest aspiration of the common people," It is so important that it is not mentioned somewhere random but in the Preamble itself. It is the second sentence. Jabber with DNSSEC requires the user to trust the ROOT (domain name "."). This ROOT KEY is ultimately controlled by an entity which is geopolitically aligned with US policy (and therefor US government). Let's assume that everybody in the US trusts the US government (quite an assumption in a Post-PRISM world). Even then would this be less than 5% of the world population. And with DNSSEC it gets worse. A user in country .XX connecting to a jabber-server.XX has to trust "." _and_ ".XX". Trusting your own government (which ultimately controls the .XX zone in many countries) is the problem, not the solution. Peter, I hope you understand how important this is and I kindly ask you to include cert-pinning in your manifesto. regards, Ralf On Mon, Nov 18, 2013 at 3:39 PM, Tony Finch <d...@dotat.at> wrote: > Ralf Skyper Kaiser <sky...@thc.org> wrote: > > > > The user has to trust ALL keys and not just the single ROOT KEY. > > That's true, but the amount of trust you have to put in high-level DNSSEC > keys is relatively limited. DNSSEC is aware of zone cuts, and high-level > keys cannot authenticate domain names below a zone cut. The DNS also > caches a lot, so if an attacker tries to redirect part of the namespace > without obtaining the corresponding private keys, they will cause > suspicious validation failures at sites where the proper public keys were > cached. > > It would be nice to have something better than DNSSEC, but at least it has > a safer structure than X.509. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at > first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or > good, > occasionally poor at first. > _______________________________________________ > JDev mailing list > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: jdev-unsubscr...@jabber.org > _______________________________________________ >
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
