Re: [DNSOP] DNSSEC as a Best Current Practice

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Mon, 28 March 2022 07:44 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A53C3A0D8B for <dnsop@ietfa.amsl.com>; Mon, 28 Mar 2022 00:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WpZo9MbsATjG for <dnsop@ietfa.amsl.com>; Mon, 28 Mar 2022 00:44:27 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id 06CBB3A0D7E for <dnsop@ietf.org>; Mon, 28 Mar 2022 00:44:26 -0700 (PDT)
Received: (qmail 75599 invoked from network); 28 Mar 2022 07:40:27 -0000
Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 28 Mar 2022 07:40:27 -0000
Message-ID: <3d81f02f-5d1c-6731-0ce6-cfcffc2637bb@necom830.hpcl.titech.ac.jp>
Date: Mon, 28 Mar 2022 16:44:20 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: dnsop@ietf.org
References: <57f1c37b-497c-e1a0-329c-4b9c8b7e197b@necom830.hpcl.titech.ac.jp> <A9F689C9-4ABF-4947-AA6B-56E2F0C17D13@nohats.ca> <9732682e-78e7-f6bf-84fc-685de22d5e12@necom830.hpcl.titech.ac.jp> <27d48ac5-2132-4b8d-be28-2f5b4a07ca28@Spark> <fff12041-aa37-f601-e5f6-66289a47ad20@necom830.hpcl.titech.ac.jp> <4af62212-c0f2-466a-895b-36626f7308c6@Spark> <CAPt1N1mWJPA69WP397pG+gHK-J47NaD8N0_06s6up_RBTwkjNA@mail.gmail.com> <8d6f9902-66fa-9b6c-8700-9a3437a14ca8@necom830.hpcl.titech.ac.jp>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
In-Reply-To: <8d6f9902-66fa-9b6c-8700-9a3437a14ca8@necom830.hpcl.titech.ac.jp>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Z8htvFtPVeQKK1zPScLt-DbNaOw>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 07:44:33 -0000

I wrote:

>> Ohta-san is using the term MiTM in an unusual way.
> 
> Wrong. See, for example,
> 
>      https://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack
>      More facts have recently come to light about the compromise
>      of the DigiNotar Certificate Authority, which appears to have
>      enabled Iranian hackers to launch successful man-in-the-middle
>      attacks against hundreds of thousands of Internet users inside
>      and outside of Iran.

Sorry, this is not a good reference because it mentions MitM attack
on ISP chain is enabled by diginotar.

A proper reference is:

	https://www.thesslstore.com/knowledgebase/ssl-support/explaining-the-chain-of-trust/
	Intermediate Certificate – Intermediate certificates branch
	off of root certificates like branches off of trees. They
	act as middle-men between the protected root certificates
	       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	and the server certificates issued out to the public.
	^^^^^^^^^^^^^^^^^^^^^^^^^^^

						Masataka Ohta