On Jan 20, 2012, at 3:15 PM, Phillip Hallam-Baker wrote: Stating the problem in terms of PKIX is way too specific. The requirements should apply equally to any new technology being proposed.
Otherwise we end up with a set of requirements that are trivially satisfied just by having something that is not called PKIX. SOPA/PIPA attempt to force actions on the DNS, an infrastructure that the US Congress appears to regard itself as being in control of. So the same issues are raised for DNSSEC in spades. I would not be surprised if some idiot attempts to 'fix' SOPA/PIPA by giving the plaintiffs the power to order ICANN and/or the registry to insert fraudulent records. I agree, except I'm not sure that DNS is within the scope of this mailing list. As for the activities of intelligence services and co-operation therewith, it seems rather unlikely that any intelligence service is going to attempt to engage in a covert operation that leaves highly visible traces unless the object is to be visible or they are very desperate. Fraudulent certificates are rather visible. Without pinning, fraudulent certificates are invisible, especially when applied to specific individuals. The fraudulent diginotar cerrtificates in Iran would have gone unnoticed had it not been for the pinning of Google certificates. I do not believe that the police are above the law. There are courts that sit on a 24 hour basis for precisely the purpose of vetting wiretap requests. The obvious response to a purported US national security letter is to tell the investigator that you do not recognize them as lawful authority as clearly contrary to the searches and seizures clause and that if they want to maintain the secrecy of their investigation they will return with a court order. I do not believe so either, but con artists posing as policemen or secret agents have managed to get civilians to do lots of things and keep it a secret in the interest of "national security". On Fri, Jan 20, 2012 at 5:49 AM, Yoav Nir <[email protected]<mailto:[email protected]>> wrote: On Jan 20, 2012, at 10:05 AM, Vesna Manojlovic wrote: > 'morning > > On Thu, 19 Jan 2012, Paul Hoffman wrote: >> Which attacks are we interested in? >> >> a) Attackers can get a trusted PKIX certificate due to errors on the >> part of some CAs that are trusted by web browsers. > > I would like to add: > > d) Atacker can get a trusted PKIX certificate due to a legislation / law > that enables them to order some CAs to hand out that PKIX certificate > > In light of SOPA/PIPA, ACTA, and Iranian (etc) government. You don't need any special legislation. If the FBI/DHS contacts an American CA, tells them they're following some terrorists who are planning some big attack in the US, and need a certificate in order to listen in on their communications, most people would help their government. Even without the coercion of law enforcement. _______________________________________________ therightkey mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/therightkey -- Website: http://hallambaker.com/ Scanned by Check Point Total Security Gateway.
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
