Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
Shumon Huque <shuque@isc.upenn.edu> Tue, 02 March 2010 17:26 UTC
Return-Path: <shuque@isc.upenn.edu>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00F863A8BCC for <ietf@core3.amsl.com>; Tue, 2 Mar 2010 09:26:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glASlT9q4J7n for <ietf@core3.amsl.com>; Tue, 2 Mar 2010 09:26:14 -0800 (PST)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id CC1613A8BC4 for <ietf@ietf.org>; Tue, 2 Mar 2010 09:26:14 -0800 (PST)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 7B1DB27CE; Tue, 2 Mar 2010 12:26:15 -0500 (EST)
Date: Tue, 02 Mar 2010 12:26:15 -0500
From: Shumon Huque <shuque@isc.upenn.edu>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
Message-ID: <20100302172614.GA15908@isc.upenn.edu>
References: <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com> <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp> <4B862D03.7060602@gnutls.org> <4B863571.40604@necom830.hpcl.titech.ac.jp> <a123a5d61002250614h36c51a42xebb54c3cc340829d@mail.gmail.com> <alpine.LFD.1.10.1002251151010.1697@newtla.xelerance.com> <a123a5d61002251201k10b5305ai3aa226fc6b84a793@mail.gmail.com> <4B8C2DF8.5040206@necom830.hpcl.titech.ac.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4B8C2DF8.5040206@necom830.hpcl.titech.ac.jp>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: Phillip Hallam-Baker <hallam@gmail.com>, Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 17:26:16 -0000
On Tue, Mar 02, 2010 at 06:13:28AM +0900, Masataka Ohta wrote: > Phillip Hallam-Baker wrote: > > > Moving to DNSSEC, regardless of the technical model does not eliminate > > the need for certificates or CAs. The purpose of EV certificates is to > > re-establish the principle of accountability. > > I don't know what EV means, but anything human, including CA, is not > infallible, which is why PKI is insecure. "EV" = Extended Validation certificates. Re-establishing (Establishing?) the concept of accountability, I think, requires more than introduction of EV certificates. Assuming that there is even agreement that they have a more accountable CPS, it also requires removal of the allegedly non-accountable CAs from trust anchor lists. This hasn't happened. There is also the question of the actual effectiveness of EV certificates. Do they really work? Can their indicators be spoofed? And can normal users use their visual cues to actually make informed security decisions? There appears to be a growing body of empirical work that shows that the typical user is unable to make effective security decisions based on certificates and their complex set of indicators (whether they are EV branded or not). Here are a few pointers, which I'm sure many folks on this list are well aware of .. * An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks ISSN 0302-9743 (Print) 1611-3349 (Online) Financial Cryptography and Data Security, 2007 http://www.adambarth.com/papers/2007/jackson-simon-tan-barth.pdf * Why Phishing Works http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf 2006 * The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies. http://www.usablesecurity.org/emperor/ May 2007 * Crying Wolf: An Empirical Study of SSL Warning Effectiveness http://www.usenix.org/events/sec09/tech/full_papers/sunshine.pdf July 2009 And the paper I know of that supports the effectiveness of EV: * Extended Validation SSL: Green Address Bar Consumer Research Verisign/Thawte/Tec-Ed study: http://www.verisign.com.sg/guide/ssl-ev/EV-SSL-GreenBarResearch.pdf There have been extensive discussions on this topic on various other lists (cryptography, w3c, etc), and I'm not sure I look forward to seeing all of it rehashed on the IETF list. But I would be interested in pointers to other credible studies on this topic. --Shumon.
- OpenDNS today announced it has adopted DNSCurve t… Joe Baptista
- RE: OpenDNS today announced it has adopted DNSCur… Dearlove, Christopher (UK)
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: OpenDNS today announced it has adopted DNSCur… tytso
- Re: OpenDNS today announced it has adopted DNSCur… Dave CROCKER
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Wes Hardaker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Steven M. Bellovin
- DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today a… Shane Kerr
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Marc Petit-Huguenin
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Andrew Sullivan
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Mark Andrews
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Basil Dolmatov
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Abley
- RE: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Hollenbeck, Scott
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Wassim Haddad
- PKIgate Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta