Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
Joe Baptista <baptista@publicroot.org> Mon, 01 March 2010 16:35 UTC
Return-Path: <publicroot.info@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5562A3A8B8B for <ietf@core3.amsl.com>; Mon, 1 Mar 2010 08:35:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.343
X-Spam-Level:
X-Spam-Status: No, score=-0.343 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_EXPERIENCE=2.333, GB_I_INVITATION=-2, HTML_MESSAGE=0.001, J_CHICKENPOX_36=0.6, SARE_BIZOP=0.7]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J1ZoL1i0ov-d for <ietf@core3.amsl.com>; Mon, 1 Mar 2010 08:35:19 -0800 (PST)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id 8011B3A8B89 for <ietf@ietf.org>; Mon, 1 Mar 2010 08:34:57 -0800 (PST)
Received: by fxm5 with SMTP id 5so2513742fxm.29 for <ietf@ietf.org>; Mon, 01 Mar 2010 08:34:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=pcEnv+zNLJ055r1vEQvtfHA2S46aXPFwf7ap0juwuJw=; b=scYid53uYzJ4piMBmHXlTELIeW2/HVAJ/uLsCLjGDsFM/H1YdUM9QZ65mUiSdwa6Pj iOF2HNVVnOvHv/IAvOLUd1wdF3L4Vu4ZRzXlJNHksEEbKNQfu9Z8ue6AiM88KTpEJ7HZ cVZWUW9uHg/3tuvtS7iHLY8CrP+EZ34V7oq+Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=vpVA7xGd/aQZwGjF0ph/4pY5bs3+Yx5OkEyJUHjgaMaVnA2VAnEE/q1sPGZAu+5wMR 7cefJgX+U87bq6Pahh1wqKHfJnyYk/OPa+xRyzXVQwY9p3ILczR4Qr/PEM0ymlhjV5pJ mt4JvdJFGMi5eMT6EOG5+ndyLECvuRiPnEceQ=
MIME-Version: 1.0
Sender: publicroot.info@gmail.com
Received: by 10.223.15.148 with SMTP id k20mr5259862faa.67.1267461293605; Mon, 01 Mar 2010 08:34:53 -0800 (PST)
In-Reply-To: <a123a5d61002251201k10b5305ai3aa226fc6b84a793@mail.gmail.com>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com> <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp> <4B862D03.7060602@gnutls.org> <4B863571.40604@necom830.hpcl.titech.ac.jp> <a123a5d61002250614h36c51a42xebb54c3cc340829d@mail.gmail.com> <alpine.LFD.1.10.1002251151010.1697@newtla.xelerance.com> <a123a5d61002251201k10b5305ai3aa226fc6b84a793@mail.gmail.com>
Date: Mon, 01 Mar 2010 11:34:53 -0500
X-Google-Sender-Auth: 60ab5fb32e2a63aa
Message-ID: <874c02a21003010834o49531071p29f4492cd149c1e7@mail.gmail.com>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
From: Joe Baptista <baptista@publicroot.org>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: multipart/alternative; boundary="00151747373a2c05830480bfd496"
Cc: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 16:35:21 -0000
I just want to remind everyone that a DNScurve draft is on the table. http://tools.ietf.org/html/draft-dempsky-dnscurve-01 There is an urgent need to solve the DNS security issues within a reasonable period of time. Please remember the Kaminsky dns bug did not identify a security problem with the DNS but the UDP transport. DNScurve fixes the problem today without having to spend 15 more years getting it right. And it does not cost a fortune to implement. DNSSEC is more of a make work project then it is a solution. And DNSSEC does not solve the UDP issue. And that is the problem DNScurve fixes NOW. If there is any common sense left at the IETF. And I think there are sparks here and there. Then I strongly recommend IETF members get DNScurve established as RFC. We need leadership - not more DNSSEC blah blah blah. Together let's exercise some common sense and support draft-dempsky-dnscurve-01. regards joe baptista On Thu, Feb 25, 2010 at 3:01 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote: > Who are these 'security researchers' of whom you speak? I am a > principal in the security field, if you want to contradict me then you > should either say that something is your personal opinion or you > should specify the other parties you are referring to. > > The reason that I want to see what the key registration process is > going to look like is precisely because the validation process > matters. It is the reason that I sent out the invitations to the > original meeting that started the process that created EV > certificates. > > Moving to DNSSEC, regardless of the technical model does not eliminate > the need for certificates or CAs. The purpose of EV certificates is to > re-establish the principle of accountability. > > You can design a PKI to meet many different needs. Identity is one > purpose, but not a very useful one. Which is the real reason that > identity systems are so hard to deploy. If you want security from a > PKI you will do better with a validation system that provides > accountability. > > I use words very carefully. I know that you can use SSH keys protected > by DNSSEC. But at the moment there is not a complete proposal for a > Secure DNS system. Key parts of that system are being left to chance > and that is why the prospects for an alternative system are much > better than you imagine. > > > On Thu, Feb 25, 2010 at 11:55 AM, Paul Wouters <paul@xelerance.com> wrote: > > On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote: > > > >> But SSH would be much better if we could integrate the key > >> distribution into a secured DNS. > > > > See previous post. Already done and running. > > > >> And self-signed SSL certs would be > >> better if we could use hash values distributed through a secured DNS > >> to verify them. > > > > Yes. The CERT/CERTQ record is still a bit of a problem and needs some > > work. > > > >> If DNSSEC succeeds, the domain validated certificate business will > >> have to either transform or eventually die. I think that for most CAs, > >> the business opportunities from SSL+DNSSEC are greater than the > >> opportunities from the current DV SSL business. DNSSEC cannot deploy > >> unless the registrars have cryptography expperience, the CAs have that > >> experience. > > > > If you ask security researchers, it has been proven that CA's sacrificed > > security for profitability. The CA model has failed to work. 2 second > > validation based on email, md5 based * root certificates signed, etc etc. > > The last two years saw a significant amount of attacks against CA's, and > > CA's have seen their profit margin fall to near zero, so even if they > > wanted to, they cannot increase security (you ask me a confirmation for > > my cert, I'll go to this other ssl provider that doesn't). > > > > CERT's in DNS(SEC) put the responsibility of the cert within the domain > of > > the customer. If they care, they can do their security. The time of > > outsourcing security to CA's is over. > > > > Paul > > > > > > -- > -- > New Website: http://hallambaker.com/ > View Quantum of Stupid podcasts, Tuesday and Thursday each week, > http://quantumofstupid.com/ > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf >
- OpenDNS today announced it has adopted DNSCurve t… Joe Baptista
- RE: OpenDNS today announced it has adopted DNSCur… Dearlove, Christopher (UK)
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: OpenDNS today announced it has adopted DNSCur… tytso
- Re: OpenDNS today announced it has adopted DNSCur… Dave CROCKER
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Wes Hardaker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Steven M. Bellovin
- DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today a… Shane Kerr
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Marc Petit-Huguenin
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Andrew Sullivan
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Mark Andrews
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Basil Dolmatov
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Abley
- RE: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Hollenbeck, Scott
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Wassim Haddad
- PKIgate Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta