Re: [keyassure] Objective: Restrictive versus Supplementary Models
James Cloos <cloos@jhcloos.com> Thu, 31 March 2011 14:11 UTC
Return-Path: <cloos@jhcloos.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E68F28C106 for <keyassure@core3.amsl.com>; Thu, 31 Mar 2011 07:11:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.06
X-Spam-Level:
X-Spam-Status: No, score=-2.06 tagged_above=-999 required=5 tests=[AWL=0.540, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhvBi34Q0udd for <keyassure@core3.amsl.com>; Thu, 31 Mar 2011 07:11:52 -0700 (PDT)
Received: from eagle.jhcloos.com (eagle.jhcloos.com [IPv6:2001:1938:12d::53]) by core3.amsl.com (Postfix) with ESMTP id 641D73A69BD for <keyassure@ietf.org>; Thu, 31 Mar 2011 07:11:52 -0700 (PDT)
Received: by eagle.jhcloos.com (Postfix, from userid 10) id 6F13B400FA; Thu, 31 Mar 2011 14:13:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=eagle; t=1301580810; bh=3kfvi4PVxaL71ErYV76GmG724Sqh6JUblMnbuPZvDYA=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=P/x0Z5Kfgaot2g53RdCUYcDSeI99bUuDTWpgFd51dvn5l5Nlvv17eiCViG8muMj79 OgxHvDGDxrIBD95kpi8c/NzVRwRkB1ueF+qXXA5k3BQgcWH2XXlU6cQfTX9tKT5Nnr 4BFKvgg3d25XMgMavoUlCWpifO1OBW3XcxidUAw0=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id 0B63A260042; Thu, 31 Mar 2011 14:02:48 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: mrex@sap.com
In-Reply-To: <201103311302.p2VD2AWx020816@fs4113.wdf.sap.corp> (Martin Rex's message of "Thu, 31 Mar 2011 15:02:10 +0200 (MEST)")
References: <201103311302.p2VD2AWx020816@fs4113.wdf.sap.corp>
User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2011 James Cloos
OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Thu, 31 Mar 2011 10:02:48 -0400
Message-ID: <m3lizvbd5r.fsf@jhcloos.com>
Lines: 25
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:30:110331:mrex@sap.com::zJsh2sZglS5jmL5M:0000avsl4
X-Hashcash: 1:30:110331:ekr@rtfm.com::CEoyFTDH1WtYcXvQ:0000uu9zV
X-Hashcash: 1:30:110331:keyassure@ietf.org::unrpzcZDCJvQwMzI:000000000000000000000000000000000000000000RJuCM
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2011 14:11:54 -0000
>>>>> "MR" == Martin Rex <mrex@sap.com> writes: MR> In a first round of attack, the attacker inserts a fake unsigned MR> TLSA record (DNS poisoning) that the victim is accessing with TLS MR> frequently and where the DNS admin is not using DNSSEC. Why would an attacker insert a fake tlsa w/o a matching fake a or aaaa? More likely they inject both and send the user off to a fake site with matching fake credentials. The client software might notice that the creds have changed since the last time it visited (/if/ it has ever visited), but how many do that for longer than a "session"? Any? Without dane the attacker just does the fake a/aaaa, fake server and fake cert an still wins. So it isn't a regression. But dtls w/o dnssec doesn't actually help either. Injecting a dtls w/o also injecting other fake RRs might get done as a lark, but any real attacks will be more sophisticated. -JimC -- James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
- [keyassure] Objective: Restrictive versus Supplem… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Stephen Kent
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
- Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
- Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Jay Daley
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
- Re: [keyassure] Objective: Restrictive versus Sup… Jay Daley
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Warren Kumari
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
- Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
- Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
- Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
- Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
- Re: [keyassure] Objective: Restrictive versus Sup… Jim Schaad