On Tue, 22 Sep 2015, John Levine wrote:
Also, this introduces a downgrade attack. User creates a key, gets lots of WoT signatures, publishes it through key servers and DANE. Bad guy takes over the account, publishes a new key with no signatures. According to sec 5.2 of the draft, a mail sender looks up the key, finds they disagree, and the verification fails. Now what? The draft suggests dumping the question on the MUA user, which we know is never a good idea. As likely as not a naive user would pick the newer key, the one that says "USE THIS KEY OLD ONE WAS STOLEN."
The attacker already receives all email to the stolen account. And can reset all services that require only email verification for a password reset. This is pretty identical to the situation where you do not use DNS and the attacker takes over the email account and mails all address book entries a new PGP key. If encryption is required for life saving, and you are confronted with a new key, then you better check either with the person or at the minimum check it was signed with the old known key. The fact that you pull a new key from DNS versus a new key from a keyserver is irrelevant to this.
Finally, if the problem with existing key servers is that they won't delete dead keys, that does not strike me as an insoluble problem. Talk to the people who run them
Please do. But it is out of scope for this draft that is specifying a different method of publishing your openpgp keys.
and we're all done.
That's your goal, not the goal of the dane working group when they adopted this draft. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
