IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Tue, 22 March 2022 14:12 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB1683A1401 for <dnsop@ietfa.amsl.com>; Tue, 22 Mar 2022 07:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEvkR2heyOKz for <dnsop@ietfa.amsl.com>; Tue, 22 Mar 2022 07:12:17 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id CA0D53A13CA for <dnsop@ietf.org>; Tue, 22 Mar 2022 07:12:15 -0700 (PDT)
Received: (qmail 70028 invoked from network); 22 Mar 2022 14:08:22 -0000
Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 22 Mar 2022 14:08:22 -0000
Message-ID: <affe488c-d2c4-05a0-69b4-12c2aa97dbfa@necom830.hpcl.titech.ac.jp>
Date: Tue, 22 Mar 2022 23:12:09 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <163bfd78-c21d-084c-9f6d-9d29b80bcbd1@necom830.hpcl.titech.ac.jp> <7B3A5D3D-2E84-45A7-BE5F-3BAC3650E95C@hopcount.ca> <e722a37a-1476-d90b-b4df-e9d4604bea59@necom830.hpcl.titech.ac.jp> <e8566381-d8e8-b99f-67c3-2e89dc9cb85@nohats.ca>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
In-Reply-To: <e8566381-d8e8-b99f-67c3-2e89dc9cb85@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/km18cfVwsUbKf_igHmi0c2jpQAQ>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 14:12:19 -0000

Paul Wouters wrote:

>> Wrong. DNSSEC as PKI is not cryptographically secure subject to
>> MitM attacks on CA chains, which is not more difficult than
>> MitM attacks on ISP chains.
> 
> I think at this point we have reached a point where your repeated
> claims lack any merit

So, you ignore diginotar to have demonstrated that PKI to
blindly trust untrustworthy TTPs is cryptographically
insecure.

Note again that browsers with some public key information
configured is subject to MitM attacks on software
distribution chains.

						Masataka Ohta

v2.23.0 | Report a Bug | By Email