At 08:07 PM 6/11/2003 -0400, Steven M. Bellovin wrote:
Let me point folk at
for a related issue.  To put it very briefly, *real* authentication is

"real" authentication is actually that hard; it is "identification" that tends to really get sticky. one of the reasons for simplified security taxonomy like PAIN or PAIIN ... aka

3-factor authentication is

something you have (like a token)
something you know (like password)
something you are (like biometrics)

In the past, I've posted regarding proposals for implementing authentication techniques in association with various internet operation registries .... in part because they are currently relying primarily on identification which is easily spoofed.

the previous posts highlight the domain name take-over exploits .... using the same techniques used in the referenced article for ip-address take-over.

the issue for SSL domain name certificates .... and people concerned about the integrity of the domain name infrastructure .... is that the certification authorities aren't the authoritative reference for the information that they are certifying .... it is the domain name infrastructure (and similarly the ip-address registry). The domain name take-overs have been very similar to the described techniques in the article for ip-address take-over. Somewhat the CA industry proposal is for the registries to implement public key registration at the same time the domain name (or ip-address) is registered. The public key is registered in the registry account record .... and all future interaction is done via authenticated signed transactions (authenticated using the public key in the registry account record).

The claim regarding the operation of the internet operational registries is that they are effectively non-authenticated .... in much the same way that current credit card transactions are not authenticated. The x9.59 standard is for all electronic retail payments and are authenticated using a public key registered in the account record. This is effectively the some proposal (somewhat instigated by the certification authority industry) for transitioning the internet registries from non-authenticated transactions to authenticated transactions (by using digitally signed messages that are authenticated with public key registered in the corresponding registry account record).

as in previous observations .... having a domain name owner register their public key in the internet registry (domain name infrastructure or ip-address registery) starts to lesson the requirement for having SSL domain certificates.

random past posts regarding irony/catch22 for the CAs and SSL domain name certificates: How effective is open source crypto? How effective is open source crypto? (bad form) Why trust root CAs ? Web of Trust CA Certificate Built Into Browser Confuse Me SSL MITM Attacks SSL integrity guarantees in abscense of client certificates Root certificate definition SSL certificate modification SSL certificate modification SRP authentication for web app Are ssl certificates all equally secure? Cirtificate Authorities 'CAs', how curruptable are they to SSL & Man In the Middle Attack SSL & Man In the Middle Attack SSL questions Authentification vs Encryption in a system to system interface New RFC 3514 addresses malicious network traffic
Anne & Lynn Wheeler
Internet trivia 20th anv

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to