[14141] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Is cryptography where security took the wrong branch?

daemon@ATHENA.MIT.EDU (bmanning@karoshi.com)
Wed Sep 10 13:18:55 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: bmanning@karoshi.com
To: lynn@garlic.com (Anne & Lynn Wheeler)
Date: Wed, 10 Sep 2003 09:57:41 -0700 (PDT)
Cc: bmanning@karoshi.com, lynn@garlic.com (Anne & Lynn Wheeler),
	cryptography@metzdowd.com
In-Reply-To: <4.2.2.20030910074520.00d1d100@mail.earthlink.net> from "Anne & Lynn Wheeler" at Sep 10, 2003 08:14:14 AM

> 
> At 03:39 AM 9/10/2003 -0700, bmanning@karoshi.com wrote:
> >         There are some other problems w/ using the DNS.
> >                 No revolkation process.
> >                 DNS caching
> >                 third-party trust (DNS admins != delegation holder)
> 
> Given high value &/or low trust ... relying parties still have option of 
> directly contacting root authority. And as outline, the root authority is 
> also the root authority for the CA/PKIs. If you attack the root trust 
> authority with false information .... then all subsequent trust operations 
> flowing from that false information is suspect. Domain name system still 
> has some exploits against the root database resulting in false information 
> .... but since that is the root for both DNS as well as CA/PKIs generating 
> SSL domain name certificates .... it is a common failure point for both 
> infrastructures. It needs to be fixed, in order to improve trust on either 
> the DNS side or the CA/PKI side (doesn't matter how thick you make the 
> vault door .... if somebody forgot to complete the back wall on the vault).

	ok...  does anyone else want to "touch" a secured DNS system
	that has some parts fo the tree fully signed?  Its a way to 
	get some emperical understanding of how interesting/hard
	it is to hammer the DNS into a PKI-like thing.

	www.rs.net  has some information.

> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
> 


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post