> On 1 Nov 2013, at 06:35, Evan Hunt <e...@isc.org> wrote: > >> On Fri, Nov 01, 2013 at 03:29:12PM +0900, Masataka Ohta wrote: >> TLS is another PKI and is inherently insecure as CAs can be >> compromised. > > True, but Tony's quorum-based approach could be made exhaustive enough > that the adversary would have to have compromised *every* CA. If they > can do that, I'm not sure any realistic defense is possible anyway.
Right. At the moment the code is just trying different host names. This deals with compromised server certs OK, but is not enough for compromised CA certs. So the quorum needs to be counted in terms of different CAs. The usual way for TLS MitM attacks to work is by installing a malicious cert in the user's CA store. I think I have heard of malware doing this, and TLS interceptors usually require corporations to enforce self-abuse of this kind on their desktop systems. In this situation the attacker can trivially fool tlsdate. But not if you check that you got the time from several different hosts authenticated by different CAs. The next question is how feasible it would be for an adversary to mount a Sybil attack on your CA store. That probably requires complete pwnage at which point getting the right time is the least of your problems. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop