[jdev] https://github.com/stpeter/manifesto and additional ideas
Ralf Skyper Kaiser
skyper at thc.org
Fri Nov 15 17:41:43 UTC 2013
On Fri, Nov 15, 2013 at 10:26 AM, Winfried Tilanus <winfried at tilanus.com>wrote:
> On 14-11-13 18:47, Ralf Skyper Kaiser wrote:
> > d. How is the jabber server admin in control when everyone has to trust
> > the master root key and all subsequent keys up to the sub domain of the
> > jabber server? That's not in the control of the jabber admin.
> Please take some time to study DNSSEC before making statements like this.
This thinking that there is only ONE MASTER ROOT KEY that has to be trusted
is a fantasy.
1. Most likely will there be a set of MASTER ROOT KEYS
2. And even if it would be true [it is not] then what percentage of the
Internet users would put their trust in a key that is ultimately
geopolitically aligned with the US? And why should we not care about the
The RFC is also very clear on this and mentions this:
"This prevents an untrustworthy signer from compromising anyone's keys
except those in their own subdomains."
Let me give this another try with an example that shows that ANYONE in the
domain-chain can compromise the trust.
For simplicity we use jabber.ir but it works equally well on other/longer
"." - Public Key shipped with the resolver. This is the MASTER ROOT KEY
.IR - generated their own private/public key pair. Public key is signed by
JABBER.ir - generated their own private/public key pair. Public key is
signed by .IR
".IR" is the attacker. ".IR" has access to the private key (they generated
User requests via DNSSEC the certificate for jabber.ir.
The attacker intercepts DNSSEC traffic and answers with a new public key
(signed by ".IR" private key) and sends this new public key to the user.
User authenticates and verifies that jabber.ir's public key is signed by
.IR. (and .IR's key is signed by ".").
Pinning solves this. DANE does not.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev