On Dec 10, 2013, at 6:00 AM, John C Klensin <john-ietf(_at_)jck(_dot_)com>
wrote:
While the integrity checks of DNSSEC provide some protection
against some types of attacks on the "data quality" part of the
DNS environment, the attacks they protect against are very
difficult. An attacker with the resources to apply them would
almost certainly find it easier, less resource-expensive, and
harder to detect to attack registry databases (before data are
entered into DNS zones and signed), registrar practices, or
post-validation servers. Non-technical attacks, such as the
oft-cited hypothetical NSL, are easily applied at those points
as well -- much more easily than tampering with keys or
signatures.
Dear John,
The opacity of CAs, DNS, and BGP place all forms of security at risk! These
mechanisms are never stronger than their weakest link. Without burdensome
cryptographic checking, no Internet service should be trusted. DANE in
conjunction with DNSSEC affords a much needed transparency to expose exchanges
at risk.
TLS should be considered a two-way certificate exchange resolving domains
rather than individuals. For example, a federated service like email lacking
two-way certificate checks can not be defended from abuse, nor can privacy of
those using such a service be assured. Transparency in the security mechanism
should fully illuminate domains, not individuals. TLS and StartTLS contain
elements for two-way certificate exchange and can make a needed transition from
CAs to DANE while providing a verifiable chain of trust to the controlling
domain.
Of course, websites have adopted synthetic domains as an alternative for web
cookies. When naughty synthetic domains are used, no amount of encryption
protects individuals when metadata remains fully apparent. Perpass documents
should have included stronger statements about protecting services as apposed
to suggesting shortcuts in the guise of affording privacy. No conversation
should ever be considered private without first ensuring the controlling domain
at each end of the exchange.
Regards,
Douglas Otis