On Tue, 17 Sep 2013 23:48:40 -0700 "Christian Huitema" <[email protected]> wrote: > > Given that many real organizations have hundreds of front end > > machines sharing RSA private keys, theft of RSA keys may very > > well be much easier in many cases than broader forms of sabotage. > > Or we could make it easy to have one separate RSA key per front > end, signed using the main RSA key of the organization.
Certainly, though the protection against active attacks doesn't improve much in that situation. Merely doing DNS cache preloading (I'd say poisoning but the host you're being pointed at would be entirely legitimate!) or some other attacks could force a target to use a particular server at a site, perhaps the one of several front ends where you had stolen a key. It is hard for DNSSEC to defend against this given that the DNS data is real, and as active attacks go, it is quite cheap! (This also makes various forms of certificate pinning/witnessing harder, though not necessarily fatally so.) I don't disagree with your point, of course. I just think defense in depth requires that we consider all these possibilities and force the attacker to spend as much as possible to get access to traffic data and plaintext, and to do it only for single targets. Perry -- Perry E. Metzger [email protected] _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
