[jdev] manifesto & DANE does not cut it

Simon Tennant simon at buddycloud.com
Tue Nov 19 11:37:02 UTC 2013


I don't think anyone here is advocating for downgrading security or not
respecing human rights.

I do think that we're being pretty sanguine about not letting the perfect
become the enemy of the good and incrementally upgrading XMPP's security.

Good security is based on layering trust and trust points being open to
inspection. DNS is about as open as you can get and comes with a pretty
good "api". I'd expect that services like the SSL Observatory start
offering a service that inspects DNSSEC records. And publish any oddities.

Regarding having to trust the owner of . changing keys, presumably pinning
the root key would mean that you would notice it changing? DNSSEC would let
you could pin any other keys in your app and notice them changing.

Nevertheless, Tony makes a good point: a cut in the namespace would be
pretty obvious to all.

S.


On 19 November 2013 12:16, Ralf Skyper Kaiser <skyper at thc.org> wrote:

> Hi Tony,
>
> DNSSEC is a step into the right direction. I do not dispute that and
> salute the jabber community for recognizing this.
>
> DNSSEC reduces the risk of an active attack. DNSSEC does not eliminate
> that risk. DNSSEC in fact only marginally reduces this risk considering the
> real-world attacks that happened since 2011.
>
> On the client/user side this is not sufficient. DNSSEC wont give the user
> the security that he believes he is getting.
> (During the 2011-revolutions wrongly understood Internet security got
> people arrested, tortured or worse).
>
> Let me elaborate a bit further here why this is so important. Let me quote
> from "The Universal Declaration of Human Rights":
>
> "Whereas disregard and contempt for human rights have resulted in
> barbarous acts which have outraged the conscience of mankind, and the
> advent of a world in which human beings shall enjoy freedom of speech and
> belief and freedom from fear and want has been proclaimed as the highest
> aspiration of the common people,"
>
>  It is so important that it is not mentioned somewhere random but in the
> Preamble itself. It is the second sentence.
>
> Jabber with DNSSEC requires the user to trust the ROOT (domain name ".").
> This ROOT KEY is ultimately controlled by an entity which is geopolitically
> aligned with US policy (and therefor US government).
>
> Let's assume that everybody in the US trusts the US government (quite an
> assumption in a Post-PRISM world). Even then would this be less than 5% of
> the world population. And with DNSSEC it gets worse. A user in country .XX
> connecting to a jabber-server.XX has to trust "." _and_ ".XX". Trusting
> your own government (which ultimately controls the .XX zone in many
> countries) is the problem, not the solution.
>
> Peter, I hope you understand how important this is and I kindly ask you to
> include cert-pinning in your manifesto.
>
> regards,
>
> Ralf
>
>
>
>
> On Mon, Nov 18, 2013 at 3:39 PM, Tony Finch <dot at dotat.at> wrote:
>
>> Ralf Skyper Kaiser <skyper at thc.org> wrote:
>> >
>> > The user has to trust ALL keys and not just the single ROOT KEY.
>>
>> That's true, but the amount of trust you have to put in high-level DNSSEC
>> keys is relatively limited. DNSSEC is aware of zone cuts, and high-level
>> keys cannot authenticate domain names below a zone cut. The DNS also
>> caches a lot, so if an attacker tries to redirect part of the namespace
>> without obtaining the corresponding private keys, they will cause
>> suspicious validation failures at sites where the proper public keys were
>> cached.
>>
>> It would be nice to have something better than DNSSEC, but at least it has
>> a safer structure than X.509.
>>
>> Tony.
>> --
>> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
>> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at
>> first.
>> Rough, becoming slight or moderate. Showers, rain at first. Moderate or
>> good,
>> occasionally poor at first.
>> _______________________________________________
>> JDev mailing list
>> Info: http://mail.jabber.org/mailman/listinfo/jdev
>> Unsubscribe: JDev-unsubscribe at jabber.org
>> _______________________________________________
>>
>
>
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
>
>


-- 
Simon Tennant | buddycloud.com | +49 17 8545 0880 | office hours:
goo.gl/tQgxP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131119/d6029187/attachment-0001.html>


More information about the JDev mailing list