Mark Andrews wrote:
Thus, we must, anyway, protect cache.
Then, where is the point to introduce DNSSEC only to have another
possibility of security holes?
We still lock doors and windows despite the possiblity of people
breaking in by lifting tiles.
I'm afraid DNSSEC people have been arguing
On Wed, Jun 03, 2009 at 03:27:42PM +0900, Masataka Ohta wrote:
Though we have to trust the zone administration put correct referral
and glue data in a master zone file, unless we use DNSSEC, we don't
have to trust the zone administration never issue certificates over
forged keys of child
Andrew Sullivan wrote:
Though we have to trust the zone administration put correct referral
and glue data in a master zone file, unless we use DNSSEC, we don't
have to trust the zone administration never issue certificates over
forged keys of child zones.
If an attacker can get its bogus data
In message 4a285750.9010...@necom830.hpcl.titech.ac.jp, Masataka Ohta writes:
Andrew Sullivan wrote:
Though we have to trust the zone administration put correct referral
and glue data in a master zone file, unless we use DNSSEC, we don't
have to trust the zone administration never issue
Mark Andrews wrote:
A problem of blindly believing a zone administration is that it is
only as secure as blindly believing an ISP administration.
Attacking a router of a large ISPs is as easy/difficult as attacking
a signature generation mechanism of a large zone.
The difference is we
Richard Barnes wrote:
This debate has nothing to do with the security properties of DNSSEC.
A basic assumption of the DNS is that what the authoritative server for
zone says is, well, authoritative. The structure of DNS itself entitles
JPNIC to point ac.jp wherever they want; by using a
Richard Barnes wrote:
(That is: You already trust the zones above you to maintain the
integrity of the zone on the *server*;
This assumption does not stand universally. For some DNS users/usage,
DNSSEC signature verification will be a must. The discussion implicitly
referred to such
Thierry Moreau wrote:
(That is: You already trust the zones above you to maintain the
integrity of the zone on the *server*;
This assumption does not stand universally. For some DNS users/usage,
DNSSEC signature verification will be a must. The discussion implicitly
referred to such
On Wed, 3 Jun 2009, Masataka Ohta wrote:
You can, for example, bribe a personnel or two, against which there
is no cryptographical protection, which means PKI is weakly secure.
You have never heard of a Hardware Security Module?
Paul
___
Ietf
In message 4a25b8ef.70...@necom830.hpcl.titech.ac.jp, Masataka Ohta writes:
Thierry Moreau wrote:
(That is: You already trust the zones above you to maintain the
integrity of the zone on the *server*;
This assumption does not stand universally. For some DNS users/usage,
DNSSEC
In message alpine.lfd.1.10.0906022034140.22...@newtla.xelerance.com, Paul Wou
ters writes:
On Wed, 3 Jun 2009, Masataka Ohta wrote:
You can, for example, bribe a personnel or two, against which there
is no cryptographical protection, which means PKI is weakly secure.
You have never
On Wed, 3 Jun 2009, Mark Andrews wrote:
You can, for example, bribe a personnel or two, against which there
is no cryptographical protection, which means PKI is weakly secure.
You have never heard of a Hardware Security Module?
HSM doesn't stop the wrong data being signed. It just
In message alpine.lfd.1.10.0906022057560.22...@newtla.xelerance.com, Paul Wou
ters writes:
On Wed, 3 Jun 2009, Mark Andrews wrote:
You can, for example, bribe a personnel or two, against which there
is no cryptographical protection, which means PKI is weakly secure.
You have never
At 09:09 PM 6/2/2009, Mark Andrews wrote:
HSM's
are better than just having the private component of a
public key sitting on a disk somewhere but in most operational
enviornments they don't add that much more security to the
process.
It depends on the HSM. For
14 matches
Mail list logo
