[Cryptography] DNSSEC = completely unnecessary?

Greg greg at kinostudios.com
Tue Nov 5 11:47:55 EST 2013


On Nov 4, 2013, at 8:48 PM, Bill Stewart <bill.stewart at pobox.com> wrote:
> SSH isn't HTTPS.  Nor are SFTP, SCP, etc.

These, I believe, are using the same exact mechanism (and often, keys) for enc + auth, correct?

IMO they do a better job at auth than HTTPS and DNSSEC, cause at least with SSH there's no list of CA's to trust. Much harder to MITM it than HTTPS.

> Outbound Email isn't HTTPS, even if it's sometimes TLS.
> Inbound SMTP often isn't even TLS, but sometimes you want to check where it came from.
> DNS isn't HTTPS, but sometimes you want to trust it, or if you're Dan Kaminsky you might want to tunnel ssh and video over it.
> NFS isn't HTTPS, and sometimes you want to use DNS with it.
> Printer protocols often aren't HTTPS.

[ .. ]

> DNSSEC doesn't protect you against exactly the same threats that SSL/TLS CAs do - it does a better job of confirming that you're talking to example.com when you think you are.  Some CAs try to do a better job of telling you that example.com belongs to The Example Corporation, as opposed to examp1e.com (note the numeral "1") which belongs to Scammers Inc., but you've got to be good at restricting which CAs you believe.

OK, well, the solution isn't DNSSEC.

SMTP, DNS, NFS, printer protocols, et. al., need to be using encryption + authentication, and not relying on a handful of CAs for it.

DNSSEC is not the answer to these problems.

DNSSEC is yet another giant problem to which the answer is the garbage can.

We need to get rid of CAs completely.

The idea of all-important authority figures to determine who is and is not trustworthy sounds like it's coming straight out of some sort of dystopian novel.

Yes, we need an _authority_, but we can do completely without authority figures (and be better off).

The "ultimate authority" should not be some random third party machine sitting in a basement in god knows where. If there is an "ultimate authority", it's the individual/printer themselves, and no one else.

And when they are unable to speak for themselves, it should be the network itself, and not one that's arranged in any sort of hierarchical fashion with a "head boss" holding "master keys" at the top.

- Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131105/093d74e5/attachment.pgp>


More information about the cryptography mailing list