Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
Phillip Hallam-Baker <hallam@gmail.com> Thu, 25 February 2010 19:59 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EAEA228C1E8 for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 11:59:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.568
X-Spam-Level:
X-Spam-Status: No, score=-1.568 tagged_above=-999 required=5 tests=[AWL=-0.602, BAYES_00=-2.599, FRT_EXPERIENCE=2.333, GB_I_INVITATION=-2, J_CHICKENPOX_36=0.6, SARE_BIZOP=0.7]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cN--geP0zi6 for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 11:59:28 -0800 (PST)
Received: from mail-iw0-f191.google.com (mail-iw0-f191.google.com [209.85.223.191]) by core3.amsl.com (Postfix) with ESMTP id 354DE28C150 for <ietf@ietf.org>; Thu, 25 Feb 2010 11:59:24 -0800 (PST)
Received: by iwn29 with SMTP id 29so4725614iwn.31 for <ietf@ietf.org>; Thu, 25 Feb 2010 12:01:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=IKopxebLv1NZ+kwKeQZvHtjzrVq76IKQThS6PWIj+KU=; b=OYYOpvP/gkemRmwESiHW+oEKMpRF7mR824jS8U0rgTVxPRYUVTKvD8NJ3GdXX+wggW +S5Hy4d9fDq4bnLRRVMP7wdoNIk87pc5xIbHlLotekFv39X3ryUsN/NMbZbZdnuTpb4N sWw0/CJYuZxccVJ56YZkUVInrKcW6bjnKS6Es=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=UZg1F9Nl5TlRx4zA/MXxTdbv86QCX9VJoPnlw+J9MJt14g4I7BnALxWPEgyEUXRXN6 BXsONLqfikY+fDJjDWktOYlTFOXUGUufkvhpsKhSJ2mL3Jkgqb75Lrd6msT4FHeYsgou EC7sWzdP+9ujGJ13Cdr0bfW2jFAl94E2vHTCY=
MIME-Version: 1.0
Received: by 10.231.169.71 with SMTP id x7mr762260iby.18.1267128089791; Thu, 25 Feb 2010 12:01:29 -0800 (PST)
In-Reply-To: <alpine.LFD.1.10.1002251151010.1697@newtla.xelerance.com>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <4B85B7E5.1000104@necom830.hpcl.titech.ac.jp> <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com> <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp> <4B862D03.7060602@gnutls.org> <4B863571.40604@necom830.hpcl.titech.ac.jp> <a123a5d61002250614h36c51a42xebb54c3cc340829d@mail.gmail.com> <alpine.LFD.1.10.1002251151010.1697@newtla.xelerance.com>
Date: Thu, 25 Feb 2010 15:01:29 -0500
Message-ID: <a123a5d61002251201k10b5305ai3aa226fc6b84a793@mail.gmail.com>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Paul Wouters <paul@xelerance.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Mon, 01 Mar 2010 07:31:55 -0800
Cc: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 19:59:30 -0000
Who are these 'security researchers' of whom you speak? I am a principal in the security field, if you want to contradict me then you should either say that something is your personal opinion or you should specify the other parties you are referring to. The reason that I want to see what the key registration process is going to look like is precisely because the validation process matters. It is the reason that I sent out the invitations to the original meeting that started the process that created EV certificates. Moving to DNSSEC, regardless of the technical model does not eliminate the need for certificates or CAs. The purpose of EV certificates is to re-establish the principle of accountability. You can design a PKI to meet many different needs. Identity is one purpose, but not a very useful one. Which is the real reason that identity systems are so hard to deploy. If you want security from a PKI you will do better with a validation system that provides accountability. I use words very carefully. I know that you can use SSH keys protected by DNSSEC. But at the moment there is not a complete proposal for a Secure DNS system. Key parts of that system are being left to chance and that is why the prospects for an alternative system are much better than you imagine. On Thu, Feb 25, 2010 at 11:55 AM, Paul Wouters <paul@xelerance.com> wrote: > On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote: > >> But SSH would be much better if we could integrate the key >> distribution into a secured DNS. > > See previous post. Already done and running. > >> And self-signed SSL certs would be >> better if we could use hash values distributed through a secured DNS >> to verify them. > > Yes. The CERT/CERTQ record is still a bit of a problem and needs some > work. > >> If DNSSEC succeeds, the domain validated certificate business will >> have to either transform or eventually die. I think that for most CAs, >> the business opportunities from SSL+DNSSEC are greater than the >> opportunities from the current DV SSL business. DNSSEC cannot deploy >> unless the registrars have cryptography expperience, the CAs have that >> experience. > > If you ask security researchers, it has been proven that CA's sacrificed > security for profitability. The CA model has failed to work. 2 second > validation based on email, md5 based * root certificates signed, etc etc. > The last two years saw a significant amount of attacks against CA's, and > CA's have seen their profit margin fall to near zero, so even if they > wanted to, they cannot increase security (you ask me a confirmation for > my cert, I'll go to this other ssl provider that doesn't). > > CERT's in DNS(SEC) put the responsibility of the cert within the domain of > the customer. If they care, they can do their security. The time of > outsourcing security to CA's is over. > > Paul > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/
- OpenDNS today announced it has adopted DNSCurve t… Joe Baptista
- RE: OpenDNS today announced it has adopted DNSCur… Dearlove, Christopher (UK)
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: OpenDNS today announced it has adopted DNSCur… tytso
- Re: OpenDNS today announced it has adopted DNSCur… Dave CROCKER
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Wes Hardaker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Steven M. Bellovin
- DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today a… Shane Kerr
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Marc Petit-Huguenin
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Andrew Sullivan
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Mark Andrews
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Basil Dolmatov
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Abley
- RE: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Hollenbeck, Scott
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Wassim Haddad
- PKIgate Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta