I find blanket statements of the form 'Verifiability does not scale'
to be inconsistent with the facts.
We do in fact have a very successful PKI industry with multiple
companies competing in a multi-billion dollar market. The only reason
this is not heralded as the triumph of PKI is that some people thought
that PKI would look different.
The biggest mistakes I made in that business was not recognizing the
need for domain validated SSL earlier and not realizing that
self-signed certificates should be treated positively by UIs. A site
with a self signed cert is always going to be at least as safe as a
site with no cert. So the user should never be presented with a
warning dialog for a self-signed cert.
SSH is not a bad security protocol. It provides a very high level of
protection against high probability risks with little or no impact on
the user. There is a narrow window of vulnerability to a man in the
middle attack.
But SSH would be much better if we could integrate the key
distribution into a secured DNS. And self-signed SSL certs would be
better if we could use hash values distributed through a secured DNS
to verify them.
If DNSSEC succeeds, the domain validated certificate business will
have to either transform or eventually die. I think that for most CAs,
the business opportunities from SSL+DNSSEC are greater than the
opportunities from the current DV SSL business. DNSSEC cannot deploy
unless the registrars have cryptography expperience, the CAs have that
experience.
On Thu, Feb 25, 2010 at 3:31 AM, Masataka Ohta
<mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:
Nikos Mavrogiannopoulos wrote:
In general, public key cryptography is scure only if public key
distribution is secure.
Well as far as I know ssh works pretty well today
With plain old DNS, yes, ssh works pretty well today.
However, it should be noted that first ssh connection may be
misdirected, if plain old DNS is attacked.
That is, we know plain old DNS works pretty well today.
and this model can be
easy made verifiable (i.e. secure as you say) by the administrator
verifying the keys of upstream.
Verifiability does not scale, which is why DNSSEC, or PKI in general,
is not really secure.
Being "secure" heavily depends on what your requirements are
Requirements may vary.
However, my point is that DH (or equivalent elliptic curve cryptography)
does not add anything to simple nonce.
Is a typical bank in europe secure? Can a
general go with an armory division and take the money? Of course he can,
but banks don't consider this a threat.
You, as a general, are free to assume typical ISPs in europe not
secure and packet snooping possible, which means you must say
DNSCurve insecure.
Or, you, as an ordinary person, are free to assume typical ISPs in
europe secure and packet snooping impossible, which means you must
say simple nonce secure.
Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
--
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf