Ted Lemon wrote:
Ohta-san is using the term MiTM in an unusual way.
Wrong. See, for example,
https://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack
More facts have recently come to light about the compromise
of the DigiNotar Certificate Authority, which appears to have
enabled Iranian hackers to launch successful man-in-the-middle
attacks against hundreds of thousands of Internet users inside
and outside of Iran.
There are a lot of other examples. For example, both plain DNS and
DNSSEC are subject to MitM attacks on software distribution chain
to forge root zone information of IP addresses of root servers
or public key of the root zone.
Normally we mean an on-path attack.
Exactly, MitM attack means on-path attack on some chain including
but not limitedvto ISP chain. So?
Ohta-san is talking about attacks on root and intermediate
zone keys
That is, well known MitM attack, in this case, on zone/CA chain.
using the term "man-in-the-middle," that's all.
Your denial of the term of MitM can not deny a fact that PKI
including DNSSEC is not cryptographically secure, diseparate
attempt against which is to make intermediate intelligent
entities of CAs physically secure, which was demonstrated
by diginotar not secure at all.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
