[jdev] manifesto & DANE does not cut it

Ralf Skyper Kaiser skyper at thc.org
Tue Nov 19 11:16:52 UTC 2013

Hi Tony,

DNSSEC is a step into the right direction. I do not dispute that and salute
the jabber community for recognizing this.

DNSSEC reduces the risk of an active attack. DNSSEC does not eliminate that
risk. DNSSEC in fact only marginally reduces this risk considering the
real-world attacks that happened since 2011.

On the client/user side this is not sufficient. DNSSEC wont give the user
the security that he believes he is getting.
(During the 2011-revolutions wrongly understood Internet security got
people arrested, tortured or worse).

Let me elaborate a bit further here why this is so important. Let me quote
from "The Universal Declaration of Human Rights":

"Whereas disregard and contempt for human rights have resulted in barbarous
acts which have outraged the conscience of mankind, and the advent of a
world in which human beings shall enjoy freedom of speech and belief and
freedom from fear and want has been proclaimed as the highest aspiration of
the common people,"

 It is so important that it is not mentioned somewhere random but in the
Preamble itself. It is the second sentence.

Jabber with DNSSEC requires the user to trust the ROOT (domain name ".").
This ROOT KEY is ultimately controlled by an entity which is geopolitically
aligned with US policy (and therefor US government).

Let's assume that everybody in the US trusts the US government (quite an
assumption in a Post-PRISM world). Even then would this be less than 5% of
the world population. And with DNSSEC it gets worse. A user in country .XX
connecting to a jabber-server.XX has to trust "." _and_ ".XX". Trusting
your own government (which ultimately controls the .XX zone in many
countries) is the problem, not the solution.

Peter, I hope you understand how important this is and I kindly ask you to
include cert-pinning in your manifesto.



On Mon, Nov 18, 2013 at 3:39 PM, Tony Finch <dot at dotat.at> wrote:

> Ralf Skyper Kaiser <skyper at thc.org> wrote:
> >
> > The user has to trust ALL keys and not just the single ROOT KEY.
> That's true, but the amount of trust you have to put in high-level DNSSEC
> keys is relatively limited. DNSSEC is aware of zone cuts, and high-level
> keys cannot authenticate domain names below a zone cut. The DNS also
> caches a lot, so if an attacker tries to redirect part of the namespace
> without obtaining the corresponding private keys, they will cause
> suspicious validation failures at sites where the proper public keys were
> cached.
> It would be nice to have something better than DNSSEC, but at least it has
> a safer structure than X.509.
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
> first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or
> good,
> occasionally poor at first.
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131119/2671a6f7/attachment.html>

More information about the JDev mailing list