[jdev] manifesto & DANE does not cut it
Ralf Skyper Kaiser
skyper at thc.org
Tue Nov 19 11:04:20 UTC 2013
DNSSEC is a step into the right direction. I do not dispute that and salute
the jabber community for recognizing this.
DNSSEC reduces the risk of an active attack. DNSSEC does not eliminate that
On the client/user side this is not sufficient. DNSSEC wont give the user
the security that he believes he is getting.
(During the 2011-revolutions wrongly understood Internet security got
people arrested, tortured or worse).
Let me elaborate a bit further here why this is so important. Let me quote
from "The Universal Declaration of Human Rights":
DNSSEC does not change this. Only DNSSEC and pinning does. And in fact
I've drawn up example scenarios over and over.
On Mon, Nov 18, 2013 at 3:39 PM, Tony Finch <dot at dotat.at> wrote:
> Ralf Skyper Kaiser <skyper at thc.org> wrote:
> > The user has to trust ALL keys and not just the single ROOT KEY.
> That's true, but the amount of trust you have to put in high-level DNSSEC
> keys is relatively limited. DNSSEC is aware of zone cuts, and high-level
> keys cannot authenticate domain names below a zone cut. The DNS also
> caches a lot, so if an attacker tries to redirect part of the namespace
> without obtaining the corresponding private keys, they will cause
> suspicious validation failures at sites where the proper public keys were
> It would be nice to have something better than DNSSEC, but at least it has
> a safer structure than X.509.
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or
> occasionally poor at first.
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev