Re: [perpass] A reminder, the Network is the Enemy...

Stephane Bortzmeyer <bortzmeyer@nic.fr> Mon, 16 December 2013 08:11 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F5691AE0D9 for <perpass@ietfa.amsl.com>; Mon, 16 Dec 2013 00:11:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I1ifCLsjKrkX for <perpass@ietfa.amsl.com>; Mon, 16 Dec 2013 00:11:40 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) by ietfa.amsl.com (Postfix) with ESMTP id 481F11AE193 for <perpass@ietf.org>; Mon, 16 Dec 2013 00:11:39 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 5EF212806CF; Mon, 16 Dec 2013 09:11:37 +0100 (CET)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx4.nic.fr (Postfix) with ESMTP id 59A9B2806CC; Mon, 16 Dec 2013 09:11:37 +0100 (CET)
Received: from bortzmeyer.nic.fr (batilda.nic.fr [IPv6:2001:67c:1348:8::7:113]) by relay2.nic.fr (Postfix) with ESMTP id 57B4CB3800C; Mon, 16 Dec 2013 09:11:07 +0100 (CET)
Date: Mon, 16 Dec 2013 09:11:07 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Russ Mundy <mundy@tislabs.com>
Message-ID: <20131216081107.GA21632@nic.fr>
References: <C0D19C51-6EA6-4EAF-B9CB-D80F673262E5@icsi.berkeley.edu> <52A050E7.8010405@uni-due.de> <C94CFC5A-3A5E-427E-B269-2457A696E2DC@tislabs.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <C94CFC5A-3A5E-427E-B269-2457A696E2DC@tislabs.com>
X-Operating-System: Debian GNU/Linux 7.2
X-Kernel: Linux 3.2.0-4-686-pae i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: perpass@ietf.org, =?utf-8?B?TWF0dGjDpHVz?= Wander <matthaeus.wander@uni-due.de>
Subject: Re: [perpass] A reminder, the Network is the Enemy...
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2013 08:11:48 -0000

On Thu, Dec 05, 2013 at 10:35:30AM -0500,
 Russ Mundy <mundy@tislabs.com> wrote 
 a message of 67 lines which said:

> I've seen some references on this list saying (essentially) that it
> is a valid assumption that an "attacker" ("unauthorized entity"
> might be a better term) can get or already has the DNS root (& maybe
> .com) private key. 

Small fix: I did not say so (the root private key is in an HSM and
presumably, nobody, not even the NSA, can take it out). I said "the
NSA can probably sign arbitrary data with the private key of the
root". In practice, it has the same consequences. But it is a common
mistake when people assert the security of things like domain name
registries. You don't need to hold the private key, you just need the
ability to feed data to the signer and get the result, which is
typically much easier.