[Cryptography] ISPs caught in STARTTLS downgrade attacks

Paul Wouters paul at cypherpunks.ca
Fri Nov 14 17:37:52 EST 2014

On Fri, 14 Nov 2014, Watson Ladd wrote:

> > Disagree. Publish a openpgpkey/smimekey in DNS(SEC) and use it for
> > transport security. On your own receiving email server, decrypt and
> > store. You keep all the benefits. For super important stuff, use another
> > key which only lives on your offline machine, with key in a vault or
> > whatever you do.
> Most people don't run their own mail servers, and there isn't a per user key discovery mechanism yet. One can easily be designed: it
> just hasn't been.

If you trust your mail provider enough to publish your key, there are
ways of discovering this per user:


There are a few implementations that already use this draft. There is
also one for smime:

> Most PGP users don't use 1024 bit RSA. Interesting how DNSSEC proponents never mention that this is what they want to use.

I wish people stopped repeating red herrings.

First, there is a huge difference in using 1024 bit RSA keys for your
zone for 30 days and key strength for ensuring things cannot be
decrypted for 50 years. Second, no one needs to use 1024 bit keys. For
the software I maintain (opendnssec in Fedora and RHEL), the default
is 2048 bit RSA keys. Using ECC now is unwise because it is still having
a 25% validation failure rate. The world still needs to upgrade their
DNS servers.

If you are concerned about the root zone ZSK being 1024, and you think
that zone is broken, than you can configure additional TLD trust
anchors, eg the one for .org or .ca or .com. It is similar to cert
pinning. However, we are also working in the IETF to get transparency
logs for DNSSEC, so even if a parental key gets abused to sidestep your
zone with super strength key algo and size, you will find out you were
targetted. See https://tools.ietf.org/wg/trans/

None of these are alternatives for a personally verified strong openpgp
key. And all of these are better than plaintext. It raises the attack
from passive to active to active with a guarantee your attack will be
noticed. There is no reason not to do this. And anyone saying this
system is worse than their current plaintext solution should work on
solutions instead of living with their failure.

Seriously, the crypto community has too many cry babies and not enough
implementors. I'd be happy if someone designs and implements something
that's better. Please obsolete me.


More information about the cryptography mailing list