nail
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
Sent: Friday, April 06, 2007 12:16 PM
To: Nicolas Williams
Cc: Paul Hoffman; [EMAIL PROTECTED]; cryptography@metzdowd.com
Subject: Re: DNSSEC to be strangled at birth.
Nicolas
On 06 April 2007 00:50, Paul Hoffman wrote:
because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
If the owner of any key signs below their level, it is immediately
visible to anyone doing active checking.
Only if they get sent that
Dave Korn wrote:
We already had this with PKI and SSL, and it basically failed.
Works fine on a small scale in a tightly-disciplined organisation;
fails totally to scale to Joe Internet-User.
one could claim that PKI failed ... especially in its trusted 3rd
party scenario ... since it was an
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of course, false, and presumably is _exactly_ why DHS wants
the root signing key: because, with it, one can sign the
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of course, false,
This is, of course false. In order to control
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
If the owner of any key signs below their level, it is immediately
visible to anyone doing active checking. The root signing
At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
If the owner of any key signs below their level, it is immediately
On Thu, Apr 05, 2007 at 05:30:53PM -0700, Paul Hoffman wrote:
At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote:
You're missing the point. The root just signs itself a new .net key,
and then uses that to sign a new furble.net key, and so forth. No
unusual key use is required.
And you
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of
[[ Agree with Nico's MITM arguments; different point below ]]
At 10:49 AM -0500 4/6/07, Nicolas Williams wrote:
The DHS would get real value in terms of veto power over new TLDs, IFF
it is the only one to possess the root private key. But that's not what
the story said, IIRC.
Whoever owns
You assume the new .net key (and what's signed with it) would be
supplied to all users of the DNS, rather than used for a targeted
attack on one user (or a small number of users). Why assume the
potential adversary will restrict himself to the dumbest possible way
to use the new tools you're
On Fri, Apr 06, 2007 at 05:13:00PM -, John Levine wrote:
You assume the new .net key (and what's signed with it) would be
supplied to all users of the DNS, rather than used for a targeted
attack on one user (or a small number of users). Why assume the
potential adversary will restrict
Nicolas Williams wrote:
Which means that the MITM would need the cooperation
of the client's provider in many/most cases (a
political problem) in order to be able to quickly get
in the middle so close to a leaf node (a technical
problem).
Not a very large political problem. Most ISPs not
Afternoon all,
This story is a couple of days old now but I haven't seen it mentioned
on-list yet.
The DHS has requested the master key for the DNS root zone.
http://www.heise.de/english/newsticker/news/87655
http://www.theregister.co.uk/2007/04/03/dns_master_key_controversy/
On Wed, Apr 04, 2007 at 05:51:27PM +0100, Dave Korn wrote:
Can anyone seriously imagine countries like Iran or China signing up to a
system that places complete control, surveillance and falsification
capabilities in the hands of the US' military intelligence?
How is this any different from
The DHS has requested the master key for the DNS root zone.
Can anyone seriously imagine countries like Iran or China signing up
to a system that places complete control, surveillance and
falsification capabilities in the hands of the US' military
intelligence?
For anyone who hasn't been
anti-rant
At 5:51 PM +0100 4/4/07, Dave Korn wrote:
Can anyone seriously imagine countries like Iran or China signing up to a
system that places complete control, surveillance and falsification
capabilities in the hands of the US' military intelligence?
No.
But how does having the root
Dave Korn [EMAIL PROTECTED] writes:
Surely if this goes ahead, it will mean that DNSSEC is doomed to widespread
non-acceptance.
I realise this is a bit of a cheap shot, but:
How will this be any different from the current situation?
Peter.
Dave,
For the purposes of discussion,
(1) Why should I care whether Iran or China sign up?
(2) Who should hold the keys instead of the only powerful
military under democratic control?
(a) The utterly porous United Nations?
(b) The members of this mailing list, channeling
for
On 05 April 2007 16:48, [EMAIL PROTECTED] wrote:
Dave,
For the purposes of discussion,
(1) Why should I care whether Iran or China sign up?
I think it would be consistent to either a) care that *everybody* signs up,
or b) not care about DNSSEC at all, but I think that a fragmentary
Dave mentioned:
# Can anyone seriously imagine countries like Iran or China signing up to a
#system that places complete control, surveillance and falsification
#capabilities in the hands of the US' military intelligence?
I'm not sure having control of the keys for the root zone would
Paul Hoffman [EMAIL PROTECTED] writes:
At 5:51 PM +0100 4/4/07, Dave Korn wrote:
Can anyone seriously imagine countries like Iran or China signing up to a
system that places complete control, surveillance and falsification
capabilities in the hands of the US' military intelligence?
No.
* Peter Gutmann:
Dave Korn [EMAIL PROTECTED] writes:
Surely if this goes ahead, it will mean that DNSSEC is doomed to widespread
non-acceptance.
I realise this is a bit of a cheap shot, but:
How will this be any different from the current situation?
You can see that the keys change and
Simon Josefsson wrote:
However, in practice I don't believe many will trust the root key
alone -- for example, I believe most if not all Swedish ISPs would
configure in trust of the .se key as well. One can imagine a
web-of-trust based key-update mechanism that avoids the need to trust
a
* Simon Josefsson:
However, in practice I don't believe many will trust the root key
alone -- for example, I believe most if not all Swedish ISPs would
configure in trust of the .se key as well.
There are some examples that such static configuration is extremely
bad. Look at the problems
26 matches
Mail list logo
