Re: [perpass] A reminder, the Network is the Enemy...

Matthäus Wander <matthaeus.wander@uni-due.de> Thu, 05 December 2013 10:09 UTC

Return-Path: <matthaeus.wander@uni-due.de>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5441ADDD1 for <perpass@ietfa.amsl.com>; Thu, 5 Dec 2013 02:09:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.251
X-Spam-Level:
X-Spam-Status: No, score=-1.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjSam8_MwDbc for <perpass@ietfa.amsl.com>; Thu, 5 Dec 2013 02:09:46 -0800 (PST)
Received: from mailout.uni-due.de (mailout.uni-due.de [132.252.185.19]) by ietfa.amsl.com (Postfix) with ESMTP id B5AAA1ADD02 for <perpass@ietf.org>; Thu, 5 Dec 2013 02:09:45 -0800 (PST)
Received: from [192.168.8.100] (wall-a.vs.uni-duisburg-essen.de [134.91.78.130]) (authenticated bits=0) by mailout.uni-due.de (8.13.1/8.13.1) with ESMTP id rB5A9fYs002215 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <perpass@ietf.org>; Thu, 5 Dec 2013 11:09:41 +0100
Message-ID: <52A050E7.8010405@uni-due.de>
Date: Thu, 05 Dec 2013 11:09:43 +0100
From: =?ISO-8859-15?Q?Matth=E4us_Wander?= <matthaeus.wander@uni-due.de>
Organization: Verteilte Systeme
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: perpass@ietf.org
References: <C0D19C51-6EA6-4EAF-B9CB-D80F673262E5@icsi.berkeley.edu>
In-Reply-To: <C0D19C51-6EA6-4EAF-B9CB-D80F673262E5@icsi.berkeley.edu>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms080909070408020206070505"
X-Virus-Scanned: Clam Anti Virus - http://www.clamav.net
X-Spam-Scanned: SpamAssassin: 3.002004 - http://www.spamassassin.org
X-Scanned-By: MIMEDefang 2.57 on 132.252.185.19
Subject: Re: [perpass] A reminder, the Network is the Enemy...
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 10:09:47 -0000

* Nicholas Weaver [2013-12-02 17:56]:
> Actually spoofing DNSSEC replies even with knowledge of the root key is going to be difficult...

If we assume the attacker can get the private root KSK from an US-based
corp, then we should also assume they can get the private root ZSK from
another US-based corp. As the owner of the root ZSK also owns the keys
for .com, the attack becomes much easier.

Regards,
Matt

-- 
Universität Duisburg-Essen
Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg