Re: [keyassure] Objective: Restrictive versus Supplementary Models

Michael Richardson <> Thu, 31 March 2011 08:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB1773A6B22 for <>; Thu, 31 Mar 2011 01:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.451
X-Spam-Status: No, score=-1.451 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I3jKCDHB3XTA for <>; Thu, 31 Mar 2011 01:14:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9316D3A69B7 for <>; Thu, 31 Mar 2011 01:14:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id 4FB5E98028 for <>; Thu, 31 Mar 2011 04:15:40 -0400 (EDT)
Received: from ( []) by (Postfix) with ESMTP id 3B11698B17 for <>; Thu, 31 Mar 2011 10:16:37 +0200 (CEST)
From: Michael Richardson <>
In-Reply-To: <>
References: <> <>
X-Mailer: MH-E 8.1; nmh 1.1; XEmacs 21.4 (patch 22)
Date: Thu, 31 Mar 2011 10:16:37 +0200
Message-ID: <>
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Mar 2011 08:14:03 -0000

>>>>> "Warren" == Warren Kumari <> writes:
    Warren> In Eric's Case / Objective 1 (where DNSSEC might not be
    Warren> needed): Scenario 1: If I am the operator of and
    Warren> Mallory manages to trick EzCerts into issuing him a cert for
    Warren>  Let's say that Mallory is powerful, and can
    Warren> monkey with DNS traffic for users behind ISP Foo (and only
    Warren> behind ISP Foo).  If we allow TLSA without DNSSEC to say
    Warren> "Cert X must appear in the path" Malloy can do bad things to
    Warren> users of ISP Foo (by stripping the record, changing it to
    Warren> his, etc). BUT all users NOT behind ISP Foo (and all users
    Warren> of ISP Foo who do DNSSEC validation) will know not to accept
    Warren> Mallory's cert for  As the operator of
    Warren>, I am unhappy, but I have at least limited the
    Warren> scope of the attack....

There is an assumption here that the days of widespread DNS cache
poisioning are over.  That Mallory essentially can now only do an
on-path attack on DNS.

I'm not claiming this isn't true, but just stating this assumption.
There are still lots of open recursive resolvers.

]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
   Kyoto Plus: watch the video <>
	               then sign the petition.