ietf
[Top] [All Lists]

Re: Historic Moment - Root zone of the Internet was just signed minutes ago!!!

2010-07-21 20:07:53
Mark Andrews wrote:

If there is going to be an unbroken chain of trust then at some point
there has to be a point where the registry signs the domain owner key
and it is damned obvious that that is the potential weak link in the
chain. I don't want to be more specific that that because I know from
previous interactions that if I try to be precise the response will be
to try to distract with irrelevant nitpicking.

Any chain is breakable by MitM attacks on its intermediate links.

Yes adding data to the parent zone requires secure authenticated
communication.  DS however are no diffent to NS.  Both require the
same level of authentication.  Yes it is subject to potential social
engineering attacks.

That's how DNSSEC is not secure end to end and only as secure as
plain old DNS (assuming both are properly implemented, though
proper implementation of DNSSEC should be a lot more complex
and, thus, difficult, if not impossible, than plain old DNS).

The end to end security can be established only by sharing a security
information directly and securely by ends without any intermediate
entities such as CAs.

                                                Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>