Re: DNSSEC? Re: MITM in the wild
* Alaric Dailey: DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Only that a legal entity exists (whether its legitimate is not checked). EV certificates are routinely issued to organizations which do not run the business which eventually uses the certificate. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
On 11/15/2008 05:19 PM, Florian Weimer: * Alaric Dailey: DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Only that a legal entity exists (whether its legitimate is not checked). EV certificates are routinely issued to organizations which do not run the business which eventually uses the certificate. Can you please back up your claim and provide us with a few examples? Since this happens routinely, I'm sure you won't have a problem providing us with some... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
Eddy Nigg wrote: On 11/15/2008 05:19 PM, Florian Weimer: * Alaric Dailey: DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Only that a legal entity exists (whether its legitimate is not checked). EV certificates are routinely issued to organizations which do not run the business which eventually uses the certificate. Can you please back up your claim and provide us with a few examples? Since this happens routinely, I'm sure you won't have a problem providing us with some... Businesses are bought and sold all the time. A good reputation is a fungible asset that is often part of the valuation process in the sale of a business. The extreme example is the bustout, where organized crime takes over a business with a good reputation and uses it as a platform for criminal activities (a favorite is stock brokerage.) It's happened a number of times online. There's the old scheme of the crook who finds an eBay merchant with an excellent feedback score, buys his ID and his computer (getting all the cookies and MAC address etc. with it) and sells a thousand imaginary laptops. There are companies like Toysmart.com, a good company that ran into trouble in the dotcom bust and sold itself to some mysterious entity that was out to make interesting use of customer information, disregarding of course all of Toysmart's privacy statements. Some good investigative journalism shined the spotlight on one of Toysmart's stockholders, Disney, which bought it out at the last minute and killed it to protect their own reputation. Businesses with good reputations and EV certificates can get into trouble. When that happens, the reputation and certificates become a very visible asset to buyers with money and bad reputations. WK ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
On 11/15/2008 05:57 PM, Wes Kussmaul: Eddy Nigg wrote: On 11/15/2008 05:19 PM, Florian Weimer: * Alaric Dailey: DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Only that a legal entity exists (whether its legitimate is not checked). EV certificates are routinely issued to organizations which do not run the business which eventually uses the certificate. Can you please back up your claim and provide us with a few examples? Since this happens routinely, I'm sure you won't have a problem providing us with some... Businesses are bought and sold all the time. A good reputation is a fungible asset that is often part of the valuation process in the sale of a business. The extreme example is the bustout, where organized crime takes over a business with a good reputation and uses it as a platform for criminal activities (a favorite is stock brokerage.) It's happened a number of times online. There's the old scheme of the crook who finds an eBay merchant with an excellent feedback score, buys his ID and his computer (getting all the cookies and MAC address etc. with it) and sells a thousand imaginary laptops. There are companies like Toysmart.com, a good company that ran into trouble in the dotcom bust and sold itself to some mysterious entity that was out to make interesting use of customer information, disregarding of course all of Toysmart's privacy statements. Some good investigative journalism shined the spotlight on one of Toysmart's stockholders, Disney, which bought it out at the last minute and killed it to protect their own reputation. Businesses with good reputations and EV certificates can get into trouble. When that happens, the reputation and certificates become a very visible asset to buyers with money and bad reputations. Your argument might be valid or not, but it's not related to the claim Florian made. I'd like to see real evidence concerning the claim made about EV certificates. Ebay merchants may be bought by crooks, I don't know and is out of the scope of digital certification. Lets stay focused! I want to see an EV certificate securing a web site not belonging to the organization to which it was issued, please. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
At 8:20 PM +0200 11/15/08, Eddy Nigg wrote: Lets stay focused! This thread started off with a purported newbie having a problem with seeing self-signed certs where she shouldn't have. It then morphed into a discussion of security UI design. Then it went to what users shold and should not be told about. Then it went back to how to design the UI for encountering self-signed certs. Then there was a long, somewhat defensive discussion about the value added by certificate authorities. Then it went to DNSSEC. Then it went to EV certs. Which of those did you want to focus on? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
On 11/15/2008 10:04 PM, Paul Hoffman: At 8:20 PM +0200 11/15/08, Eddy Nigg wrote: Lets stay focused! This thread started off with a purported newbie having a problem with seeing self-signed certs where she shouldn't have. It then morphed into a discussion of security UI design. Then it went to what users shold and should not be told about. Then it went back to how to design the UI for encountering self-signed certs. Then there was a long, somewhat defensive discussion about the value added by certificate authorities. Then it went to DNSSEC. Then it went to EV certs. That is what makes this place truly interesting :-) Of course we could/should change the subject once in a while, but not everybody is familiar with this practice... Which of those did you want to focus on? Right now about the claim made by Florian. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
Anders Rundgren wrote: I haven't followed this lengthy discussion in detail but I have for a long time wondered how DNSSEC and SSL-CA-Certs should coexist. Which one will be the most authoritative? Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs? DNSSEC only attempts to ensure that you get the (a) correct IP address. It does absolutely nothing to ensure that you actually are connected to the site you wanted. It doesn't obviate SSL or PKI at all. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
On 11/10/2008 09:52 PM, Nelson Bolyard: Anders Rundgren wrote: I haven't followed this lengthy discussion in detail but I have for a long time wondered how DNSSEC and SSL-CA-Certs should coexist. Which one will be the most authoritative? Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs? DNSSEC only attempts to ensure that you get the (a) correct IP address. It does absolutely nothing to ensure that you actually are connected to the site you wanted. It doesn't obviate SSL or PKI at all. I believe it would only strengthen domain and email validation procedures as the CA has means to verify DNS response better. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
Nelson Bolyard wrote: I haven't followed this lengthy discussion in detail but I have for a long time wondered how DNSSEC and SSL-CA-Certs should coexist. Which one will be the most authoritative? Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs? DNSSEC only attempts to ensure that you get the (a) correct IP address. It does absolutely nothing to ensure that you actually are connected to the site you wanted. It doesn't obviate SSL or PKI at all. Is DNSSEC secure enough to make the statement DNS name www.example.com is signed by CA with fingerprint ABCD? If so, a website can publish the expected CA that signed the cert for that website, giving an out of band method to confirm whether the cert presented to the client is legitimate or not. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: DNSSEC? Re: MITM in the wild
DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Certs regardless of the class enables encryption. Thus DNSSEC would, in theory, prevent a cert from being stolen. So rather than replacing, or weakening CAs and PKI, it would enhance reliability, and close the threat of a blended (and undetectable) attack of a compromised cert and pharming. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Rundgren Sent: Monday, November 10, 2008 1:25 AM To: mozilla's crypto code discussion list Subject: DNSSEC? Re: MITM in the wild I haven't followed this lengthy discussion in detail but I have for a long time wondered how DNSSEC and SSL-CA-Certs should coexist. Which one will be the most authoritative? Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs? Anders ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: DNSSEC? Re: MITM in the wild
At 11:52 AM -0800 11/10/08, Nelson Bolyard wrote: DNSSEC only attempts to ensure that you get the (a) correct IP address. s/only/only currently/ You can stick any data you want in the DNS. Currently the most popular data is the A record (IP address) associated with a domain name, but is it quite possible to put other data associated with a domain name in the DNS as well. DNSSEC cryptographically protects any type of DNS data, including assertions that a DNS name is associated with a public key. There are strong pros and strong cons of using the DNS as a reliable public key association mechanism. This has been discussed ad nauseam for over a decade by the people designing the DNS. Here's just one of many problems: there is no way for a browser to know whether the public key data it is getting from the DNS is signed by DNSSEC, much less validated all the way to a trust anchor. Whoopsie. DNS folks often have their religious views even more entrenched than security folks. There is no strong consensus in the DNS community on this topic. Saying it can be done is quite different than saying it should be done. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
DNSSEC? Re: MITM in the wild
I haven't followed this lengthy discussion in detail but I have for a long time wondered how DNSSEC and SSL-CA-Certs should coexist. Which one will be the most authoritative? Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs? Anders ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto