>If so, then the domain owner can deliver a public key with authenticity
>using the DNS.  This strikes a deathblow to the CA industry.  This
>threat is enough for CAs to spend a significant amount of money slowing
>down its development [0].
>How much more obvious does it get [1] ?

The PKI industry has been a sham since day one, and several root certs
have been compromised by the proverbial "bad guys" over the years (for
example, the "Flame" malware incident used to sign emergency Windows
Update packages which mysteriously only affected users in Iran and the
Middle East, or the Diginotar debacle, or the Tunisian "Ammar" MITM
attacks etc).  This of course is assuming that the FBI doesn't already
have access to all of the root CAs so that on domestic soil they can
sign updates and perform silent MITM interception of SSL and
IPSEC-encrypted traffic using transparent inline layer-2 bridging
devices that are at every major Internet peering point and interconnect,
because that would be crazy talk.

However, some form of authenticity and integrity is better than zero,
which is what the majority of the current DNS system offers, and it is
point and click trivial to perform MITM attacks with unauthenticated
DNS, especially on local area network segments which are rarely
protected with more than the Windows firewall.

Even without a centralized PKI, stateless port 53 UDP DNS could benefit
from some type of cryptographic security, but as with any standard
seemingly related to privacy or confidentiality we are left with this
DNSSEC quagmire of meetings and proposed meetings to talk about the next
meeting to discuss how the committee will propose the next request for
comment, ad nauseum.

Bitcoin for example doesn't need hundreds of private companies with
elaborate PKI documentation authentication services which are in reality
just mental placebos for Joe Consumer when he updates his monthly
Brazzers subscription, and it's doing just fine as the runner up for the
next global world monetary standard.

So with that said, I would still place my wager on the FBI being the
source of these various privacy enhancing service delays and not some
secret cabal of PKI execs that are engaging in standards committee
The cryptography mailing list

Reply via email to