RE: DNSSEC to be strangled at birth.

[Charlie Kaufman]

I wonder if the DHS has any idea what it's asking for. The news
totally mangled what you might be able to do with that key. Even
people on this list have trouble figuring it out. Perhaps they just
heard about this root key thing, thought it sounded cool and important,
and since they recently watched Sneakers they thought they better have
it.

The news articles didn't say whether they wanted to be the only ones
to have it (which they could argue was a good idea because who better
to secure the Internet, but it would mean they would have work to do),
or whether they just wanted a copy (which would be of absolutely no
value defensively - it constitutes a tool for mounting an extremely
difficult and quickly detected attack on the Internet).

--Charlie

p.s. strangled at birth seems a bad metaphor. DNSSEC may still be
in diapers, but it turned 10 in January. More like added another
nail

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
Sent: Friday, April 06, 2007 12:16 PM
To: Nicolas Williams
Cc: Paul Hoffman; [EMAIL PROTECTED]; cryptography@metzdowd.com
Subject: Re: DNSSEC to be strangled at birth.

Nicolas Williams wrote:
  Which means that the MITM would need the cooperation
  of the client's provider in many/most cases (a
  political problem) in order to be able to quickly get
  in the middle so close to a leaf node (a technical
  problem).

Not a very large political problem.  Most ISPs not only
roll over for the DOJ, the FBI, and the DHS, they also
roll over for the russian mafias.

With the root key and the cooperation of nodes close to
the client, you can intercept SSH and SSL communications
that rely on DNSSEC.  Without the root key, you cannot.
This is huge.

This, of course, means the sensible man configures SSH
not to rely on DNSSEC by default, which substantially
reduces the benefit of SSH.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
N��*m�
ڦ�j)b����'���r��y��zwb�r��y ��a��j:+vsv�r�

RE: DNSSEC to be strangled at birth.

[Dave Korn]

On 06 April 2007 00:50, Paul Hoffman wrote:

 because, with it, one can sign the appropriate
 chain of keys to forge records for any zone one likes.
 
 If the owner of any key signs below their level, it is immediately
 visible to anyone doing active checking. 

  Only if they get sent that particular forged DNS response.  It's more likely
to be targeted.  DHS man shows up at suspect's ISP, with a
signed-below-its-level dns record (or a whole hierarchy of normally signed
records) to install on just their servers and perhaps even to serve up to just
one of their customers.  Nobody else gets to see it.

 Plus, now that applications are keeping public keys for services in
 the DNS, one can, in fact, forge those entries and thus conduct man in
 the middle surveillance on anyone dumb enough to use DNS alone as a
 trust conveyor for those protocols (e.g. SSH and quite possibly soon
 HTTPS).
 
 ...again assuming that the users of those keys don't bother to look
 who signed them.

  I think that's a safe assumption.  How are these users meant to look?
Little lock-icon in the status bar?

 Because I believe that ISPs, not just security geeks, will be
 vigilant in watching whether there is any layer-hopping signing and
 will scream loudly when they see it. AOL and MSN have much more to
 lose if DHS decides to screw with the DNS than anyone on this list
 does. 

  Can I point out that large telecomms corporations have been making a habit
of silently acquiescing to whatever illegal and spuriously-motiveated requests
the DHS or anyone else invoking the magic words war on terror is capable of
dreaming up?

 Having said that, it is likely that we will be the ones to
 shoot the signal flares if DHS (or ICANN, for that matter) misuses
 the root signing key. But it won't be us that causes DHS to stand
 down or, more likely, get thrown off the root: it's the companies who
 have billions of dollars to lose if the DNS becomes untrusted.

  We already had this with PKI and SSL, and it basically failed.  Works fine
on a small scale in a tightly-disciplined organisation; fails totally to scale
to Joe Internet-User.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: DNSSEC to be strangled at birth.

[Anne Lynn Wheeler]

Dave Korn wrote:

We already had this with PKI and SSL, and it basically failed.
Works fine on a small scale in a tightly-disciplined organisation;
fails totally to scale to Joe Internet-User.


one could claim that PKI failed ... especially in its trusted 3rd
party scenario ...  since it was an amazingly complex and expensive
deployment to solve a rapidly vanishing problem.

the basic design point is the electronic analog for physical
credentials, certificates, licenses used in the offline world ... or
the electronic analog of letters of credit/introduction from the
sailing ship days (and before) ... the trusted distribution of
information for the benefit of relying parties that had no other
recourse for the information.

in an online world ... a paradigm designed for trusted distribution of
information for an offline world, rapidly becomes redundant,
superfluous and obsolete (besides enormously NOT cost effective).

SSL was intended as countermeasures to two vulnerabilities 1) are you
really talking to the server that you think you are talking to (among
other things ip-address hijacking) and 2) evesdropping of information
in transit.

The SSL solution to #1 was predicated on the end-user having knowledge
of a trusted binding between the server he thought he was talking to
and the URL for that server.  The SSL protocol then provided the
trusted binding between the URL and the server the user was actually
talking to. That weak-link in all of this was current infrastructure
where end-users frequently have very little knowledge of the binding
between the server they think they are talking to and the URL for that
server.

It isn't so much that SSL has failed to do what it was implemented to
do, it is that SSL failed to take into account that part where
end-users have very little knowledge of the relationship between
servers and the URLs for those servers. It isn't so much a small-scale
population that it works for ... it requires a (disciplined)
population that maintains adequate knowledge of the relationship
between servers and the URL for those servers. Even a well disciplined
population is likely only to maintain knowledge of strong binding
between servers and URLs ... for only a small number of servers and
their corresponding URLs. The same population may be also be
vulnerable when dealing with URLs and servers outside some well
regulated domain.

these series of posts talk about eliminating PKI and digital
certificates for SSL ... and going to real-time public key operations
in the domain name infrastructure ... as countermeasure to ip-address
hijacking (original SSL) as well as domain name hijacking (as well as
providing mechanism for encrypting information while in transit).
http://www.garlic.com/~lynn/subpubkey.html#catch22

Aka the current domain name certification authority PKI-based paradigm
has its root trust in the validity of the information at the domain
name infrastructure. While the existing SSL/PKI related implementation
was targeted at ip-address take-over ... it still remained vulnerable
to domain name hijacking.

however, the real-time domain name public keys, still doesn't address
the vulnerability of end-users typically not having knowledge of
strong binding between the website they think they are talking to and
the corresponding URL (making them vulnerable to website impersonation
and social engineering attacks that get them to click on arbitrary
URLs).

Solutions for these vulnerabilities ... typically involve some amount
of additional trust operations by the users ... along the lines
of local repository of trusted public keys with the corresponding
trusted binding to trusted URLs (which starts to look somewhat
like the PGP email public key repository). One of the issues for
such solutions is that they lack the economic incentive for
large scale deployment (i.e. there is no 3rd party taking in
money selling digital certificates).


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]