Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
Olafur Gudmundsson <ogud@ogud.com> Mon, 28 July 2014 17:13 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF23B1A03DE for <dane@ietfa.amsl.com>; Mon, 28 Jul 2014 10:13:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jVymvKGi6X14 for <dane@ietfa.amsl.com>; Mon, 28 Jul 2014 10:13:02 -0700 (PDT)
Received: from smtp92.ord1c.emailsrvr.com (smtp92.ord1c.emailsrvr.com [108.166.43.92]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 255D71A041C for <dane@ietf.org>; Mon, 28 Jul 2014 10:12:46 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp20.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 8EC6E803E2; Mon, 28 Jul 2014 13:12:45 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp20.relay.ord1c.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 334EE802CE; Mon, 28 Jul 2014 13:12:45 -0400 (EDT)
X-Sender-Id: ogud@ogud.com
Received: from [10.20.30.43] (pool-74-96-189-180.washdc.fios.verizon.net [74.96.189.180]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:587 (trex/5.2.10); Mon, 28 Jul 2014 17:12:45 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <e2a23385d5698a1022b201915817ed40@triangulum.uberspace.de>
Date: Mon, 28 Jul 2014 13:12:44 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1B773935-7CE3-4507-A196-EAC4D7B21C5F@ogud.com>
References: <1d002b9795bf8f9946f1375fef78abd6@triangulum.uberspace.de> <alpine.LFD.2.10.1407280941250.30319@bofh.nohats.ca> <e2a23385d5698a1022b201915817ed40@triangulum.uberspace.de>
To: Rene Bartsch <ml@bartschnet.de>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/pevQnigQdAp7WsCCxiJXZN4kClw
Cc: dane@ietf.org
Subject: Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 17:13:05 -0000
<chair-hat> This discussion is off topic. DANE is about how to leverage DNSSEC by applications and conspiracy theories are not within our charter. Anyone that does not trust DNSSEC operations is free to ignore distribution of OPENPGP keys via DNS, and continue to use the web of trust. </char-hat> Olafur On Jul 28, 2014, at 10:59 AM, Rene Bartsch <ml@bartschnet.de> wrote: > Maybe I misunderstood draft-zhang-ct-dnssec-trans-00 but I do not see how it would help. Consider the following case: > > (Forced by secret US law) The IANA secretly hands over the current private key of the DNSSEC trust anchor to a US government agency which uses the private key to sign forged zones and feeds them to DNS resolvers. That way US government agencies would be able to manipulate any DNS record including OpenPGP while users would be lulled in a false sense of security. > > In case I didn't miss any super-security feature users should be aware of that fact. > > Am 2014-07-28 15:52, schrieb Paul Wouters: >>> 3. Security considerations: The IANA has control over the DNSSEC root keys. As the IANA is bound to US law, US government agencies probably have access to the DNSSEC root keys and are capable to manipulate the OpenPGP keys signed with DNSSEC. >> There is currently a first attempt at specifying transparancy for >> DNSSEC for those who want to audit/track the DNSSEC root or parent >> domain holders: >> http://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00 >> Paul > > -- > Best regards, > > Renne > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane
- [dane] Comments on draft-wouters-dane-openpgp-02 Rene Bartsch
- Re: [dane] Comments on draft-wouters-dane-openpgp… Paul Wouters
- Re: [dane] Comments on draft-wouters-dane-openpgp… Paul Wouters
- Re: [dane] Comments on draft-wouters-dane-openpgp… Martin Rex
- [dane] Manipulation of DNSSEC by US government po… Rene Bartsch
- Re: [dane] Comments on draft-wouters-dane-openpgp… Viktor Dukhovni
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Nico Williams
- Re: [dane] Manipulation of DNSSEC by US governmen… Olafur Gudmundsson
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… Wiley, Glen
- Re: [dane] Manipulation of DNSSEC by US governmen… Mark Andrews
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… Mark Andrews
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… John Gilmore
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Stephen Kent
- Re: [dane] Manipulation of DNSSEC by US governmen… Nico Williams