Re: [perpass] A reminder, the Network is the Enemy...
Phillip Hallam-Baker <hallam@gmail.com> Mon, 09 December 2013 05:54 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECFAB1AD8DA for <perpass@ietfa.amsl.com>; Sun, 8 Dec 2013 21:54:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1VqOXuY_M_d for <perpass@ietfa.amsl.com>; Sun, 8 Dec 2013 21:54:09 -0800 (PST)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 878A71AD7BE for <perpass@ietf.org>; Sun, 8 Dec 2013 21:54:09 -0800 (PST)
Received: by mail-wi0-f175.google.com with SMTP id hi5so3237589wib.14 for <perpass@ietf.org>; Sun, 08 Dec 2013 21:54:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EG3GSVTbfrQqO0AcpzMjd40KxBQBuT0l8pQPbtPZvLM=; b=lSCARn+c6PHGMyPSdyUp4Nt9Xk6gSgcgDyq1aXYOhnXeJoyaKY0zWkkfg42+pkQeim WrFoTpKBkGiOzvtx8Bp5hsuDx0edO8KZwLA1wDlmp2T1Zka8ITnznHiqry7MR6Vjj6fx tKowRTApksfxy8LVLs/iBEcTJlJlNiEtdXh4pHjV3/T/DgNGFRCKQlUF2h6ggLCoQjPY p+N1QJtYloq6GuIj2FyWaPIeeCZuh+poS6eOnFsmWiiOASLrssZhbMViwaIKkiOHYi8M B7VSYtGdlGUaOLy+TPy8ctMLxIZ+A39vZV+wu0qeTkroWZgksLGxv/x0GyWr0xeazCRv 1Y7w==
MIME-Version: 1.0
X-Received: by 10.194.78.77 with SMTP id z13mr13865186wjw.27.1386568444431; Sun, 08 Dec 2013 21:54:04 -0800 (PST)
Received: by 10.194.243.136 with HTTP; Sun, 8 Dec 2013 21:54:04 -0800 (PST)
In-Reply-To: <C94CFC5A-3A5E-427E-B269-2457A696E2DC@tislabs.com>
References: <C0D19C51-6EA6-4EAF-B9CB-D80F673262E5@icsi.berkeley.edu> <52A050E7.8010405@uni-due.de> <C94CFC5A-3A5E-427E-B269-2457A696E2DC@tislabs.com>
Date: Mon, 09 Dec 2013 00:54:04 -0500
Message-ID: <CAMm+LwjsSmNMshmMjg+bFQw+x+ek1q5x6=QfHkKW2fCGLqD8Xw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Russ Mundy <mundy@tislabs.com>
Content-Type: multipart/alternative; boundary="047d7bfcfc9896544904ed139fc3"
Cc: perpass <perpass@ietf.org>, Matthäus Wander <matthaeus.wander@uni-due.de>
Subject: Re: [perpass] A reminder, the Network is the Enemy...
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 05:54:12 -0000
On Thu, Dec 5, 2013 at 10:35 AM, Russ Mundy <mundy@tislabs.com> wrote: > > On Dec 5, 2013, at 5:09 AM, Matthäus Wander <matthaeus.wander@uni-due.de> > wrote: > > > * Nicholas Weaver [2013-12-02 17:56]: > >> Actually spoofing DNSSEC replies even with knowledge of the root key is > going to be difficult... > > > > If we assume the attacker can get the private root KSK from an US-based > > corp, then we should also assume they can get the private root ZSK from > > another US-based corp. As the owner of the root ZSK also owns the keys > > for .com, the attack becomes much easier. > > If we (as the IETF) make an assumption that the DNSSEC private key(s) are > "available" to some "unauthorized entity" (govt or otherwise) because a > significant part of a particular operation is located in a particular > geographic region then we need to also make a similar assumption for > any/all Certification Authorities' root private key(s) since the underlying > cryptographic technology widely used by TLS is basically the same. The > DigiNotar attack, though not geographically related, clearly illustrates > that very bad things can happen when an "unauthorized entity" is able to > have access to and use of root private keys for a CA. > I agree with respect to covert attacks. Yes there is a risk in both cases and the right control is to establish a very high probability of detection so that it becomes an overt attack. What is unique in the case of the DNSSEC is that there is only one root and thus a government can perform a denial of service attack against TLDs.For example asserting that signing the Cuba or Palestine roots would breach existing sanctions legislation or passing new legislation. And such scenarios do not seem at all far fetched to me having watched the government shutdown. -- Website: http://hallambaker.com/
- [perpass] A reminder, the Network is the Enemy... Nicholas Weaver
- Re: [perpass] A reminder, the Network is the Enem… Ted Lemon
- Re: [perpass] A reminder, the Network is the Enem… Bjoern Hoehrmann
- Re: [perpass] A reminder, the Network is the Enem… Ted Lemon
- Re: [perpass] A reminder, the Network is the Enem… Bjoern Hoehrmann
- Re: [perpass] A reminder, the Network is the Enem… Ted Lemon
- Re: [perpass] A reminder, the Network is the Enem… Stephane Bortzmeyer
- Re: [perpass] A reminder, the Network is the Enem… Stephane Bortzmeyer
- Re: [perpass] A reminder, the Network is the Enem… Nicholas Weaver
- Re: [perpass] A reminder, the Network is the Enem… David Conrad
- Re: [perpass] A reminder, the Network is the Enem… Matthäus Wander
- Re: [perpass] A reminder, the Network is the Enem… Randy Bush
- Re: [perpass] A reminder, the Network is the Enem… Phillip Hallam-Baker
- Re: [perpass] A reminder, the Network is the Enem… David Conrad
- Re: [perpass] A reminder, the Network is the Enem… Phillip Hallam-Baker
- Re: [perpass] A reminder, the Network is the Enem… Russ Mundy
- Re: [perpass] A reminder, the Network is the Enem… Phillip Hallam-Baker
- Re: [perpass] A reminder, the Network is the Enem… Stephane Bortzmeyer