Re: [keyassure] Objective: Restrictive versus Supplementary Models

[Michael Richardson <mcr@sandelman.ca>]

>>>>> "Warren" == Warren Kumari <warren@kumari.net> writes:
    Warren> In Eric's Case / Objective 1 (where DNSSEC might not be
    Warren> needed): Scenario 1: If I am the operator of example.com and
    Warren> Mallory manages to trick EzCerts into issuing him a cert for
    Warren> example.com.  Let's say that Mallory is powerful, and can
    Warren> monkey with DNS traffic for users behind ISP Foo (and only
    Warren> behind ISP Foo).  If we allow TLSA without DNSSEC to say
    Warren> "Cert X must appear in the path" Malloy can do bad things to
    Warren> users of ISP Foo (by stripping the record, changing it to
    Warren> his, etc). BUT all users NOT behind ISP Foo (and all users
    Warren> of ISP Foo who do DNSSEC validation) will know not to accept
    Warren> Mallory's cert for example.com.  As the operator of
    Warren> example.com, I am unhappy, but I have at least limited the
    Warren> scope of the attack....

There is an assumption here that the days of widespread DNS cache
poisioning are over.  That Mallory essentially can now only do an
on-path attack on DNS.

I'm not claiming this isn't true, but just stating this assumption.
There are still lots of open recursive resolvers.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition.