Is cryptography where security took the wrong branch?
bmanning at karoshi.com
bmanning at karoshi.com
Wed Sep 10 12:57:41 EDT 2003
>
> At 03:39 AM 9/10/2003 -0700, bmanning at karoshi.com wrote:
> > There are some other problems w/ using the DNS.
> > No revolkation process.
> > DNS caching
> > third-party trust (DNS admins != delegation holder)
>
> Given high value &/or low trust ... relying parties still have option of
> directly contacting root authority. And as outline, the root authority is
> also the root authority for the CA/PKIs. If you attack the root trust
> authority with false information .... then all subsequent trust operations
> flowing from that false information is suspect. Domain name system still
> has some exploits against the root database resulting in false information
> .... but since that is the root for both DNS as well as CA/PKIs generating
> SSL domain name certificates .... it is a common failure point for both
> infrastructures. It needs to be fixed, in order to improve trust on either
> the DNS side or the CA/PKI side (doesn't matter how thick you make the
> vault door .... if somebody forgot to complete the back wall on the vault).
ok... does anyone else want to "touch" a secured DNS system
that has some parts fo the tree fully signed? Its a way to
get some emperical understanding of how interesting/hard
it is to hammer the DNS into a PKI-like thing.
www.rs.net has some information.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list