On Sun, Nov 17, 2013 at 7:49 PM, Theodore Ts'o <tytso(_at_)mit(_dot_)edu> wrote:
On Sun, Nov 17, 2013 at 07:05:04PM -0500, Phillip Hallam-Baker wrote:
That being said, the problem for PKI is that, assuming active
MITM attacks both on ISP chains and CA chains, it offer no
better security than DH,
As DH involves end systems only, there is no point of deploying
PKI with no additional benefits.
If we assume that the attack model is flying horses armed with lasers
there
is no additional benefit.
The point is not what the consequences of the assumptions are, the
question
is how likely the assumptions are. If you leave that out of the equation
then the result is nonsense.
Actually, the attack was called "FLYING PIG" --- that was the GHCQ
code name, per the Snowden leaks[1]. Some have speculated that
Diginotar was so badly penetrated that it wasn't just the Iranians
which penetrated it, but the NSA/GHCQ as well.
I think there are enough proven horrors in Snowdonia without speculating
additional ones.
One of the reasons why the bogus Diginotar certificates were detected
was because Google Chrome had a feature called "certificate pinning"
--- which is not a feature normally associated with PKI's. It's
unfortunately not all that scalable, since it involved hard-coding
certificates, or their hashes, in the browser binary. The challenge
is coming up with a solution that *is* more scalable, and less
dependent on trusting that CA's are competently run.
Which is exactly what Ben Laurie and myself proposed some time ago in the
original CAA scheme which included cert pinning and a notification scheme.
Unfortunately that approach was deemed to conflict with DANE and so we were
forced to remove the feature. Which is a pity as the CAA pining scheme did
not depend on DNSSEC as a precondition.
Diginotar would have noticed the issue if they had been checking their OCSP
logs as well.
--
Website: http://hallambaker.com/