[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Social-discuss] Re: DNSSEC update and client side certificates
From: |
Story Henry |
Subject: |
[Social-discuss] Re: DNSSEC update and client side certificates |
Date: |
Sat, 20 Mar 2010 21:03:43 +0100 |
In an interview of Dan Kaminsky last year he says the following:
[[
Kaminsky: DNSSEC is interesting not because it fixes DNS. DNSSEC is interesting
because it allows us to start addressing core problems we have on the Internet
in a systematic and scalable way. The reality is: Trust is not selling across
organizational boundaries. We have lots and lots systems that allow companies
to authenticate their own people, manage and monitor their own people and
interact with their own people. In a world where companies only deal with
themselves, that's great. We don't live in that world and we haven't for many
years.
Q: How does DNSSEC help fix that?
Kaminsky: One of the fascinating elements of the Verizon Data Breach
Investigations Report is that if there was a hack, 40% of the time it was an
implementation flaw, and 60% of the time it was an authentication flaw --
something happened with authentication credentials and everything blew up. At
the end day, why do we use passwords? It's the only authentication technology
that we have that even remotely works across organizational boundaries, and the
only thing that scales today. Our existing ways of doing trust across
organizational boundaries don't work. Passwords are failures; certificates that
were supposed to replace passwords are not working -- period, end of discussion.
DNS has been doing cross-organizational address management for 25 years; it
works great. DNS is the world's largest PKI without the 'K.'All DNSSEC does is
add keys. It takes this system that scales wonderfully and has been a success
for 25 years, and says our trust problems are cross-organizational, and takes
best technology on the Internet for cross-organizational operations and gives
it trust. And if we do this right, we'll see every single company with new
products and services around the fact that there's one trusted root, and one
trusted delegating proven system doing security across organizational
boundaries.
]] http://bit.ly/19P188
I came across this from the very interesting Wikipedia article
http://fr.wikipedia.org/wiki/DNSSEC
On 20 Mar 2010, at 19:44, Henry Story wrote:
> Hi,
>
> Here are two issues with X509 that were hindrances for a solution like
> foaf+ssl to be deployed, but which can and are being fixed:
>
> 1. Client Side Certificate selection
> ------------------------------------
>
> Browsers currently do a very bad job of allowing the user to choose his
> certificate (Safari being the absolute worse). As a result I posted "Firefox
> Hackers Needed"
>
> http://bit.ly/cQ5f48
>
> earlier this week. @snej who is working at Google put up a picture of a
> solution for this in Chrome using a foaf+ssl certificate created by
> http://webid.myxwiki.org/
>
> http://bit.ly/azCXTU
>
> Vote for it!
>
> 2. Server side certificates
> ---------------------------
>
> One factor that people mention often with foaf+ssl is that the server has to
> have his own certificate. This means registration with a CA which is costly
> and tedious and it does not really solve the problems of server
> authentication as Dan Kaminsky shows ruthlessly in "Black Ops of PKI"
> http://bit.ly/4Uwb2K .
>
> To summarise his talk, server security is in a double bind:
>
> 1- Dan Kaminsky's DNS poisoning attack which is very well explained by Rick
> Van Rein's presentation "Cracking Internet: the urgency of DNSSEC" (
> http://bit.ly/2darr8 view with FFox > 3.5 as it uses ogg video) means that a
> DNS easily be hacked in 6 weeks, and a lot of money poured into the wrong
> people's pockets. So there is a financial incentive to break DNS.
>
> 2. The solution of using https with X.509 public key cryptography's backing
> cannot work because there is a race to the bottom in the way CA's issue
> certificates. For enough money it is not that difficult to become God and to
> pretend you are anyone.
>
> Given the above DNSsec has become urgent enough, that it is being deployed.
>
> - verisign will put .com in July http://bit.ly/dyd54E
> - .org will be available in June http://bit.ly/abEJ28
> - .gov went dnssec in March 2009 http://bit.ly/bH27b0
> - The root will be signed July 2010 http://bit.ly/9YQMDJ
> - a map of dnssec deployment http://www.xelerance.com/dnssec/
>
> So listening to Dan Kaminsky you would think that he is against X509. Well
> certainly it could be improved a lot, but he is not quite as negative as one
> may think. X.509 with DNSsec seems to be something he thinks can work.
>
> What he told me after his CCC and HAR talks and what you can see in the last
> few minutes of the HAR talk "X509 considered Harmful" http://bit.ly/2darr8 is
> that once DNS is secure one could put the X509 (self signed even) certs into
> the DNS records. This would bypass the need for CAs. [ I hope I understood
> him correctly ]. I am not sure what needs to be done to make this possible
> with the browser vendors, but it would massively improve security on the web.
>
> As a result I have fait that the global situation on the internet will only
> make foaf+ssl solutions easier and more secure to deploy, enabling a
> completely distributed social network to emerge, free and without the spying,
> as Eben Moglen author of the GPL said so well recently http://bit.ly/brQmJz
>
> Henry
>
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Social-discuss] Re: DNSSEC update and client side certificates,
Story Henry <=