IETF Logo Mail Archive

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

Måns Nilsson <mansaxel@besserwisser.org> Fri, 06 September 2013 21:06 UTC

Return-Path: <mansaxel@besserwisser.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B37F211E81CB for <ietf@ietfa.amsl.com>; Fri, 6 Sep 2013 14:06:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.347
X-Spam-Level:
X-Spam-Status: No, score=-2.347 tagged_above=-999 required=5 tests=[AWL=-0.047, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHiQSAfKHLR2 for <ietf@ietfa.amsl.com>; Fri, 6 Sep 2013 14:06:46 -0700 (PDT)
Received: from jaja.besserwisser.org (jaja.besserwisser.org [IPv6:2a01:298:4:0:211:43ff:fe36:1299]) by ietfa.amsl.com (Postfix) with ESMTP id 8B41A11E812E for <ietf@ietf.org>; Fri, 6 Sep 2013 14:06:42 -0700 (PDT)
Received: by jaja.besserwisser.org (Postfix, from userid 1004) id C9C559E76; Fri, 6 Sep 2013 23:06:38 +0200 (CEST)
Date: Fri, 06 Sep 2013 23:06:38 +0200
From: Måns Nilsson <mansaxel@besserwisser.org>
To: Ted Lemon <ted.lemon@nominum.com>
Subject: Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA
Message-ID: <20130906210638.GC3428@besserwisser.org>
References: <alpine.BSF.2.00.1309051743130.47262@hiroshima.bogus.com> <52293197.1060809@gmail.com> <5C7FECAB-8A22-4AF1-B023-456458E1B288@nominum.com> <522949C2.8010206@gmail.com> <52294C6D.7090206@gmail.com> <m2ppsmzgs5.wl%randy@psg.com> <5229686A.5090308@gmail.com> <31078634-5AEA-4FC9-80A8-2E77650BA530@piuha.net> <20130906072539.GJ5700@besserwisser.org> <9AC2A86F-250C-4B3C-B9BA-8DF44C937B41@nominum.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="yLVHuoLXiP9kZBkt"
Content-Disposition: inline
In-Reply-To: <9AC2A86F-250C-4B3C-B9BA-8DF44C937B41@nominum.com>
X-URL: http://vvv.besserwisser.org
X-Purpose: More of everything NOW!
X-happyness: Life is good.
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: "ietf@ietf.org list" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2013 21:06:48 -0000

Subject: Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA Date: Fri, Sep 06, 2013 at 11:46:17AM -0400 Quoting Ted Lemon (ted.lemon@nominum.com):
> On Sep 6, 2013, at 3:25 AM, Måns Nilsson <mansaxel@besserwisser.org> wrote:
> > I do think that more distributed technoligies like DANE play an important
> > rôle here.
> 
> Right, because there's no way the NSA could ever pwn the DNS root key.

It is probably easier for NSA or similar agencies in other countries
to coerce X.509 root CA providers that operate on a competetive market
than fooling the entire international DNS black helicopter cabal. But
that is -- I admit -- an educated guess, based on personal relations.

> What we should probably be thinking about here is:
> 
>   - Mitigating single points of failure (IOW, we _cannot_ rely
>     on just the root key)

In effect, DANE exchanges one trust model for another. I happen
to believe that the damage risque is lower with DNSSEC + DANE than the
traditional "any CA can issue a certificate for any domain name" setup.

>   - Hybrid solutions (more trust sources means more work to
>     compromise)
>   - Sanity checking (if a key changes unexpectedly, we should
>     be able to notice)
>   - Multiple trust anchors (for stuff that really matters, we
>     can't rely on the root or on a third party CA)
>   - Trust anchor establishment for sensitive communications
>     (e.g. with banks)

agree on all. 
 
> The threat model isn't really the NSA per se—if they really want to bug you, they will, and you can't stop them, and that's not a uniformly bad thing.   The problem is the breathtakingly irresponsible weakening of crypto systems that has been alleged here, and what we can do to mitigate that.   Even if we aren't sure that it's happened, or precisely what's happened, it's likely that it has happened, or will happen in the near future.  We should be thinking in those terms, not crossing our fingers and hoping for the best.
 
Audit and open source seem to be good starting points. 

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
Yow!  It's some people inside the wall!  This is better than mopping!

v2.23.0 | Report a Bug | By Email