Re: [Asrg] DNSSEC is NOT secure end to end
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Sat, 30 May 2009 23:26 UTC
Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B5C073A6A92 for <asrg@core3.amsl.com>; Sat, 30 May 2009 16:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.56
X-Spam-Level:
X-Spam-Status: No, score=0.56 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DnNE81Vr2L5M for <asrg@core3.amsl.com>; Sat, 30 May 2009 16:26:17 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id E02EB3A6A15 for <asrg@irtf.org>; Sat, 30 May 2009 16:26:05 -0700 (PDT)
Received: (qmail 29538 invoked from network); 31 May 2009 00:57:30 -0000
Received: from bmdi3226.bmobile.ne.jp (HELO necom830.hpcl.titech.ac.jp) (202.221.175.226) by necom830.hpcl.titech.ac.jp with SMTP; 31 May 2009 00:57:30 -0000
Message-ID: <4A21C0CB.8070409@necom830.hpcl.titech.ac.jp>
Date: Sun, 31 May 2009 08:27:07 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Francis Dupont <Francis.Dupont@fdupont.fr>
References: <200905302032.n4UKVxaZ048822@givry.fdupont.fr>
In-Reply-To: <200905302032.n4UKVxaZ048822@givry.fdupont.fr>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sat, 30 May 2009 16:32:53 -0700
Cc: Anti-Spam Research Group - IRTF <asrg@irtf.org>, ietf@ietf.org
Subject: Re: [Asrg] DNSSEC is NOT secure end to end
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 May 2009 23:26:17 -0000
Francis Dupont wrote: > => not only this is very arguable (for instance about the resource > exhaustion) but no hop-by-hop/channel security, even something as > strong as TSIG, can provide what we need, i.e., end-to-end/object > security (*). Unless your meaning of end-to-end differs from that of David Clark, the following argument of his paper is applicable to DNSSEC. http://portal.acm.org/citation.cfm?doid=383034.383037 Rethinking the design of the Internet: The end to end arguments vs. the brave new world The certificate is an assertion by that (presumably trustworthy) third party that the indicated public key actually goes with the particular user. These certificates are principal components of essentially all public key schemes, That is, security of DNSSEC involves third parties and is not end to end. > PS (*): I use the common meaning of end-to-end, not Masataka Ohta's one. I'm afraid you don't know who David Clark is and how he is related to the end to end argument. However, all the people who are qualified to discuss end to end do know him and his argument. Masataka Ohta
- [Asrg] DNS-based Email Sender Authentication Mech… Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Dave CROCKER
- Re: [Asrg] DNS-based Email Sender Authentication … Steve Atkins
- [Asrg] 答复: DNS-based Email Sender Authentication … Sean Shen
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentic… grenville armitage
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentic… Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … John Leslie
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] DNS-based Email Sender Authentication … Alessandro Vesely
- Re: [Asrg] DNS-based Email Sender Authentication … Dave CROCKER
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] DNS-based Email Sender Authentication … Alessandro Vesely
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … der Mouse
- Re: [Asrg] rDNS Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … John Levine
- [Asrg] DNS over SCTP (was: Re: DNS-based Email Se… Alessandro Vesely
- Re: [Asrg] rDNS Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… SM
- Re: [Asrg] DNS over SCTP Douglas Otis
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] rDNS Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … Florian Weimer
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS over SCTP Douglas Otis
- Re: [Asrg] rDNS discrimination Alessandro Vesely
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… Stephane Bortzmeyer
- Re: [Asrg] DNS over SCTP Stephane Bortzmeyer
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Thierry Moreau
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Masataka Ohta
- Re: [Asrg] DNS over SCTP Michael Tüxen
- Re: [Asrg] DNS over SCTP Paul Wouters
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… Francis Dupont
- Re: [Asrg] DNS over SCTP Francis Dupont
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Francis Dupont
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Bill Manning
- Re: [Asrg] DNS-based Email Sender Authentication … Florian Weimer
- Re: [Asrg] DNSSEC is NOT secure end to end Francis Dupont
- Re: [Asrg] DNSSEC is NOT secure end to end Christian Huitema
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Richard Barnes
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Richard Barnes
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Thierry Moreau
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Thierry Moreau
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Mark Andrews
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Christian Huitema
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Doug Otis
- Re: [Asrg] DNSSEC is NOT secure end to end Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Doug Otis
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- [Asrg] RISC is end to end (was Re: DNSSEC is NOT … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end der Mouse
- Re: [Asrg] DNS over SCTP Alessandro Vesely