Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nikos Mavrogiannopoulos wrote:

>>In general, public key cryptography is scure only if public key
>>distribution is secure.

> Well as far as I know ssh works pretty well today

With plain old DNS, yes, ssh works pretty well today.

However, it should be noted that first ssh connection may be
misdirected, if plain old DNS is attacked.

That is, we know plain old DNS works pretty well today.

> and this model can be
> easy made verifiable (i.e. secure as you say) by the administrator
> verifying the keys of upstream.

Verifiability does not scale, which is why DNSSEC, or PKI in general,
is not really secure.

> Being "secure" heavily depends on what your requirements are

Requirements may vary.

However, my point is that DH (or equivalent elliptic curve cryptography)
does not add anything to simple nonce.

> Is a typical bank in europe secure? Can a
> general go with an armory division and take the money? Of course he can,
> but banks don't consider this a threat.

You, as a general, are free to assume typical ISPs in europe not
secure and packet snooping possible, which means you must say
DNSCurve insecure.

Or, you, as an ordinary person, are free to assume typical ISPs in
europe secure and packet snooping impossible, which means you must
say simple nonce secure.

							Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]