Re: DNSSEC architecture vs reality

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: ietf@xxxxxxxx
Subject: Re: DNSSEC architecture vs reality
From: Masataka Ohta <mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Apr 2021 18:07:33 +0900
In-reply-to: <82AAE2BE-4286-4F0F-B122-E387577B54BA@frobbit.se>
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com> <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se> <5DFC979A-7641-49B2-A2F4-81F737790C6D@cisco.com> <82AAE2BE-4286-4F0F-B122-E387577B54BA@frobbit.se>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1

Patrik Faltstrom wrote:

Because doing signing is viewed as a cost, and there must be a benefit in doing the signing.


True.

As PKIs, including TLS and DNSSEC, rely on CAs as untrustworthy
TTPs, they are, as was demonstrated by diginotar and google,
subject to MitM attacks on CAs.

That is, PKIs are only as secure as plain Internet with ISPs
as untrustworthy TTPs.

As such, there is no point to waste the signing cost.

> This is why validation must come first. The cost is low,

But, there is no true security for the cost.

						Masataka Ohta

PS

It may still be a good idea to use Diffie Hellman key exchange,
because it is secure against passive attacks.

Follow-Ups:
- Re: DNSSEC architecture vs reality
  - From: Petite Abeille

References:
- Re: Quic: the elephant in the room
  - From: Viktor Dukhovni
- Re: Quic: the elephant in the room
  - From: Ben Laurie
- Re: Quic: the elephant in the room
  - From: Viktor Dukhovni
- DNSSEC architecture vs reality (was: Re: Quic: the elephant in the room)
  - From: Keith Moore
- Re: DNSSEC architecture vs reality (was: Re: Quic: the elephant in the room)
  - From: Viktor Dukhovni
- Re: DNSSEC architecture vs reality
  - From: Keith Moore
- Re: DNSSEC architecture vs reality
  - From: Petite Abeille
- Re: DNSSEC architecture vs reality
  - From: Michael Thomas
- Re: DNSSEC architecture vs reality
  - From: Nico Williams
- Re: DNSSEC architecture vs reality
  - From: Michael Thomas
- Re: DNSSEC architecture vs reality
  - From: Nico Williams
- Re: DNSSEC architecture vs reality
  - From: Andrew McConachie
- Re: DNSSEC architecture vs reality
  - From: Patrik Fältström
- Re: DNSSEC architecture vs reality
  - From: Eliot Lear
- Re: DNSSEC architecture vs reality
  - From: Patrik Fältström

Prev by Date: Re: [Last-Call] Genart last call review of draft-ietf-opsawg-tacacs-yang-09
Next by Date: Re: DNSSEC architecture vs reality
Previous by thread: Re: DNSSEC architecture vs reality
Next by thread: Re: DNSSEC architecture vs reality
Index(es):
- Date
- Thread

[Index of Archives] [IETF Annoucements] [IETF] [IP Storage] [Yosemite News] [Linux SCTP] [Linux Newbies] [Mhonarc] [Fedora Users]