[jdev] manifesto & DANE does not cut it

Ralf Skyper Kaiser skyper at thc.org
Tue Nov 19 11:04:20 UTC 2013


Hi Tony,

DNSSEC is a step into the right direction. I do not dispute that and salute
the jabber community for recognizing this.

DNSSEC reduces the risk of an active attack. DNSSEC does not eliminate that
risk.

On the client/user side this is not sufficient. DNSSEC wont give the user
the security that he believes he is getting.
(During the 2011-revolutions wrongly understood Internet security got
people arrested, tortured or worse).

Let me elaborate a bit further here why this is so important. Let me quote
from "The Universal Declaration of Human Rights":


DNSSEC does not change this. Only DNSSEC and pinning does. And in fact
pinning alone



I've drawn up example scenarios over and over.



On Mon, Nov 18, 2013 at 3:39 PM, Tony Finch <dot at dotat.at> wrote:

> Ralf Skyper Kaiser <skyper at thc.org> wrote:
> >
> > The user has to trust ALL keys and not just the single ROOT KEY.
>
> That's true, but the amount of trust you have to put in high-level DNSSEC
> keys is relatively limited. DNSSEC is aware of zone cuts, and high-level
> keys cannot authenticate domain names below a zone cut. The DNS also
> caches a lot, so if an attacker tries to redirect part of the namespace
> without obtaining the corresponding private keys, they will cause
> suspicious validation failures at sites where the proper public keys were
> cached.
>
> It would be nice to have something better than DNSSEC, but at least it has
> a safer structure than X.509.
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
> first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or
> good,
> occasionally poor at first.
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131119/d318ec1e/attachment.html>


More information about the JDev mailing list