On Oct 12, 2022, at 09:39, Masataka Ohta <mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > The draft does not distinguish e2e encryption and e2e security, > because, e2e encryption by a shared key compromised by MitM attacks > at some intermediate CAs of some PKI, including DNSSEC, is not > e2e secure. as was demonstrated by diginotar. Indeed you stated this on the dnsop mailing list and concluded there as well that (web)PKI is insecure based on one compromised operator and not based on the security model. At DNSOP you argued to instead use extra long query IDs. That does not apple to message security. What system would you recommend for message encryption ? > As such, DNSSEC is not cryptographically secure and is no better > than plain DNS with long enough message IDs. > > The issue was discussed recently in DNSOP list, and a person > argued against me saying CAs are protected by strong physical > or social security such as "HSMs" (hardware security moduled, > which, theoretically, make secret keyd inaccessible from the > Internet) and "four eyes minimum" (which means, confirmation > by two persons). > > But, requiring so strong physical or social security means > it is not cryptographically secure. > > Moreover, diginotar was advertised to be equipped with > "HSMs" and "four eyes minimum", which may be wrongly > operated or was just a false advertisement by diginotar, > both of which is possible by other CAs. I don’t understand how any of this applies to defining the properties of e2ee that this draft tries to do without declaring any specific IETF protocol at all? What in your terms defines e2ee in message encryption ? Paul
