Ted Lemon wrote:
Ohta-san is using the term MiTM in an unusual way.
Wrong. See, for example, https://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack More facts have recently come to light about the compromise of the DigiNotar Certificate Authority, which appears to have enabled Iranian hackers to launch successful man-in-the-middle attacks against hundreds of thousands of Internet users inside and outside of Iran. There are a lot of other examples. For example, both plain DNS and DNSSEC are subject to MitM attacks on software distribution chain to forge root zone information of IP addresses of root servers or public key of the root zone.
Normally we mean an on-path attack.
Exactly, MitM attack means on-path attack on some chain including but not limitedvto ISP chain. So?
Ohta-san is talking about attacks on root and intermediate zone keys
That is, well known MitM attack, in this case, on zone/CA chain.
using the term "man-in-the-middle," that's all.
Your denial of the term of MitM can not deny a fact that PKI including DNSSEC is not cryptographically secure, diseparate attempt against which is to make intermediate intelligent entities of CAs physically secure, which was demonstrated by diginotar not secure at all. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop