Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
Phillip Hallam-Baker <hallam@gmail.com> Thu, 25 February 2010 14:12 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6012528C314 for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 06:12:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.648
X-Spam-Level:
X-Spam-Status: No, score=-0.648 tagged_above=-999 required=5 tests=[AWL=-1.682, BAYES_00=-2.599, FRT_EXPERIENCE=2.333, J_CHICKENPOX_36=0.6, SARE_BIZOP=0.7]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jb3-ZYy6roPh for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 06:12:17 -0800 (PST)
Received: from mail-iw0-f189.google.com (mail-iw0-f189.google.com [209.85.223.189]) by core3.amsl.com (Postfix) with ESMTP id EA5F728C180 for <ietf@ietf.org>; Thu, 25 Feb 2010 06:12:16 -0800 (PST)
Received: by iwn27 with SMTP id 27so5069089iwn.5 for <ietf@ietf.org>; Thu, 25 Feb 2010 06:14:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=NBAtSYtC1jVPy+uZhTkaD6B97P1j69XRYHP5B2MfP5s=; b=gAnpOvRV+BLybmNWS6K4wqA1nLqfrYLEMEWfRl3aTUPN3rnAhboKKUhokrvZRbUisW iL9+S8AX2nMlP5miJ0fOD42VmOVKvKQovYUQTvpqwHgksmJdwHLSOP3ef2bX5K+xImsa B93odfadN6o9a5WBDSbG3amDpycbfSh6i4+ek=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ROYWk/R5sHYFuv89HPUV9jwSWKU7fj0vO3jvekz7l+4AWnrEVC4VdgC4ermpwBfX27 8fMt0HvG//TNKCyizsggTlw/HXeQ2M/S5dCsXS516XTUG+p3P2oz+PZJ/c/E8U+wTN5Q IJcK+c/usacYcGyrT/Hi+UlLVWhYxTs2s28zE=
MIME-Version: 1.0
Received: by 10.231.161.143 with SMTP id r15mr24986ibx.62.1267107261932; Thu, 25 Feb 2010 06:14:21 -0800 (PST)
In-Reply-To: <4B863571.40604@necom830.hpcl.titech.ac.jp>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <p06240819c7ab46c7fbf9@10.20.30.158> <4B859F15.9080106@acm.org> <4B85B7E5.1000104@necom830.hpcl.titech.ac.jp> <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com> <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp> <4B862D03.7060602@gnutls.org> <4B863571.40604@necom830.hpcl.titech.ac.jp>
Date: Thu, 25 Feb 2010 09:14:21 -0500
Message-ID: <a123a5d61002250614h36c51a42xebb54c3cc340829d@mail.gmail.com>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 25 Feb 2010 08:17:25 -0800
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 14:12:18 -0000
I find blanket statements of the form 'Verifiability does not scale' to be inconsistent with the facts. We do in fact have a very successful PKI industry with multiple companies competing in a multi-billion dollar market. The only reason this is not heralded as the triumph of PKI is that some people thought that PKI would look different. The biggest mistakes I made in that business was not recognizing the need for domain validated SSL earlier and not realizing that self-signed certificates should be treated positively by UIs. A site with a self signed cert is always going to be at least as safe as a site with no cert. So the user should never be presented with a warning dialog for a self-signed cert. SSH is not a bad security protocol. It provides a very high level of protection against high probability risks with little or no impact on the user. There is a narrow window of vulnerability to a man in the middle attack. But SSH would be much better if we could integrate the key distribution into a secured DNS. And self-signed SSL certs would be better if we could use hash values distributed through a secured DNS to verify them. If DNSSEC succeeds, the domain validated certificate business will have to either transform or eventually die. I think that for most CAs, the business opportunities from SSL+DNSSEC are greater than the opportunities from the current DV SSL business. DNSSEC cannot deploy unless the registrars have cryptography expperience, the CAs have that experience. On Thu, Feb 25, 2010 at 3:31 AM, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote: > Nikos Mavrogiannopoulos wrote: > >>>In general, public key cryptography is scure only if public key >>>distribution is secure. > >> Well as far as I know ssh works pretty well today > > With plain old DNS, yes, ssh works pretty well today. > > However, it should be noted that first ssh connection may be > misdirected, if plain old DNS is attacked. > > That is, we know plain old DNS works pretty well today. > >> and this model can be >> easy made verifiable (i.e. secure as you say) by the administrator >> verifying the keys of upstream. > > Verifiability does not scale, which is why DNSSEC, or PKI in general, > is not really secure. > >> Being "secure" heavily depends on what your requirements are > > Requirements may vary. > > However, my point is that DH (or equivalent elliptic curve cryptography) > does not add anything to simple nonce. > >> Is a typical bank in europe secure? Can a >> general go with an armory division and take the money? Of course he can, >> but banks don't consider this a threat. > > You, as a general, are free to assume typical ISPs in europe not > secure and packet snooping possible, which means you must say > DNSCurve insecure. > > Or, you, as an ordinary person, are free to assume typical ISPs in > europe secure and packet snooping impossible, which means you must > say simple nonce secure. > > Masataka Ohta > > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/
- OpenDNS today announced it has adopted DNSCurve t… Joe Baptista
- RE: OpenDNS today announced it has adopted DNSCur… Dearlove, Christopher (UK)
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: OpenDNS today announced it has adopted DNSCur… tytso
- Re: OpenDNS today announced it has adopted DNSCur… Dave CROCKER
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Wes Hardaker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Steven M. Bellovin
- DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today a… Shane Kerr
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Marc Petit-Huguenin
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Andrew Sullivan
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Mark Andrews
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Basil Dolmatov
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Abley
- RE: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Hollenbeck, Scott
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Wassim Haddad
- PKIgate Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta