DNSSEC to be strangled at birth.
James A. Donald
jamesd at echeque.com
Fri Apr 6 15:16:10 EDT 2007
Nicolas Williams wrote:
> Which means that the MITM would need the cooperation
> of the client's provider in many/most cases (a
> political problem) in order to be able to quickly get
> in the middle so close to a leaf node (a technical
> problem).
Not a very large political problem. Most ISPs not only
roll over for the DOJ, the FBI, and the DHS, they also
roll over for the russian mafias.
With the root key and the cooperation of nodes close to
the client, you can intercept SSH and SSL communications
that rely on DNSSEC. Without the root key, you cannot.
This is huge.
This, of course, means the sensible man configures SSH
not to rely on DNSSEC by default, which substantially
reduces the benefit of SSH.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list