[Cryptography] "Trust in digital certificate ecosystem eroding"
Guido Witmond
guido at witmond.nl
Mon May 4 14:42:57 EDT 2015
On 05/04/15 00:45, Christian Huitema wrote:
> On Sunday, May 3, 2015, at 11:02 AM, Guido Witmond wrote:
>> ... With DNSSEC and DANE, the site-owner *specifies* which CA is
>> the correct one *for their own site*.
>
> But! If the user lives in the Kingdom of Notrustistan, there is a
> catch. The local dictators could mandate that every computer and
> every phone ships with their very own version of ICANN root's key,
> enabling the Great Firewall of Notrustistan to spoof TLSA records and
> then MITM the TLS connections...
If someone has control over your endpoint, it's game over.
It's the ultimate form of Balkanization: spying on your own people *AND*
blocking nosy foreigners who don't have the tinpot-RootKey installed.
Why this is a real possibility, it's not a silent attack like having a
root CA certificate in the current browser trust stores.
Still, I think it is an improvement.
Because with the eccentric authentication protocol built upon DNSSEC and
DANE (and some more [1]), people inside the dictatorship still can
communicate securely with each other. So the dictator has to forbid that
too.
Regards, Guido.
[1]:
http://eccentric-authentication.org/eccentric-authentication/global_registry_of_dishonesty.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150504/8aeb86ed/attachment.sig>
More information about the cryptography
mailing list