Shumon Huque wrote:
> "EV" = Extended Validation certificates.
Extending human validation is still human.
> Re-establishing (Establishing?) the concept of accountability,
No, thanks.
For accountability with regard to full compensation for losses, that
is, *M*O*N*E*Y*, CAs are not accountable
On Tue, Mar 02, 2010 at 06:13:28AM +0900, Masataka Ohta wrote:
> Phillip Hallam-Baker wrote:
>
> > Moving to DNSSEC, regardless of the technical model does not eliminate
> > the need for certificates or CAs. The purpose of EV certificates is to
> > re-establish the principle of accountability.
>
Wassim Haddad wrote:
>>I don't know what EV means, but anything human, including CA, is not
>>infallible, which is why PKI is insecure.
> => Can you please explain in few lines what would be your preference(s) for
> a solution to enable DNSsec?
> I apologize if you have already submitted a propos
On Mon, Mar 1, 2010 at 2:13 PM, Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:
Phillip Hallam-Baker wrote:
>
> > Moving to DNSSEC, regardless of the technical model does not eliminate
> > the need for certificates or CAs. The purpose of EV certificates is to
> > re-establish the principl
Phillip Hallam-Baker wrote:
> Moving to DNSSEC, regardless of the technical model does not eliminate
> the need for certificates or CAs. The purpose of EV certificates is to
> re-establish the principle of accountability.
I don't know what EV means, but anything human, including CA, is not
infall
On Mon, 1 Mar 2010, Tony Finch wrote:
DNSSEC is already deployed in 12 top-level domains
Add a half for .uk :-) It has a deliberately invalid DNSKEY this week,
full deployment next week.
There is more then the 12 in itar. From the top of my head: .br .us .museum and
.pt,
and of course a lar
On Mon, 1 Mar 2010, David Conrad wrote:
>
> DNSSEC is already deployed in 12 top-level domains
Add a half for .uk :-) It has a deliberately invalid DNSKEY this week,
full deployment next week.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH
On Mar 1, 2010, at 8:34 AM, Joe Baptista wrote:
> Please remember the Kaminsky dns bug did not identify a security problem with
> the DNS but the UDP transport.
The problem Dan Kaminsky exploited is a known weakness in the DNS protocol,
specifically that a 16-bit identifier space is too small.
I just want to remind everyone that a DNScurve draft is on the table.
http://tools.ietf.org/html/draft-dempsky-dnscurve-01
There is an urgent need to solve the DNS security issues within a reasonable
period of time.
Please remember the Kaminsky dns bug did not identify a security problem
with th
Once you have established an SSH relationship the protocol allows you
to determine with a high degree of confidence that you are connecting
to the same end point in future.
That is not a perfect security control but it is a very useful one. It
is a much more useful control than any provided by inf
Some CAs sacrificed security for profitability. Which was the reason I
started the EV process. If the race to the bottom had continued the
products we sold would have no value at all.
Getting your root into a browser requires you to get a WebTrust audit
against your CPS. The problem is that before
Who are these 'security researchers' of whom you speak? I am a
principal in the security field, if you want to contradict me then you
should either say that something is your personal opinion or you
should specify the other parties you are referring to.
The reason that I want to see what the key r
Phillip Hallam-Baker wrote:
> Once you have established an SSH relationship
That's the (lack of) security of SSH by return routability. PERIOD.
Masataka Ohta
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.
Phillip Hallam-Baker wrote:
> SSH is not a bad security protocol. It provides a very high level of
> protection against high probability risks with little or no impact on
> the user. There is a narrow window of vulnerability to a man in the
> middle attack.
As a security researcher, I can teach y
> From: Shumon Huque
> Any of them, whether by malice or by being tricked, can issue a
> certificate for any of your services. Our security is basically as good
> as the the CA with the laxest policies & worst security.
Sounds like a poor attribute for a security architeture...
On Thu, Feb 25, 2010 at 11:55:03AM -0500, Paul Wouters wrote:
> On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote:
> >If DNSSEC succeeds, the domain validated certificate business will
> >have to either transform or eventually die. I think that for most CAs,
> >the business opportunities from SSL+DNS
On 2010-02-24, at 15:50, Tony Finch wrote:
> On Wed, 24 Feb 2010, Shane Kerr wrote:
>>
>> DNSSEC declares out of scope:
>> * the channel where DS records get added to the parent
>
> Is that actually out of scope or just not specified yet?
The whole channel from end-user (registrant) to re
On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote:
But SSH would be much better if we could integrate the key
distribution into a secured DNS.
See previous post. Already done and running.
And self-signed SSL certs would be
better if we could use hash values distributed through a secured DNS
to
On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote:
>
> But SSH would be much better if we could integrate the key
> distribution into a secured DNS.
RFC 4255 "Using DNS to Securely Publish Secure Shell (SSH) Key
Fingerprints"
Tony.
--
f.anthony.n.finchhttp://dotat.at/
GERMAN BIGHT HUMBER: SOUT
On Thu, 25 Feb 2010, Nikos Mavrogiannopoulos wrote:
Ssh without secure public key distribution mechanism is not really
secure cryptographically.
In general, public key cryptography is scure only if public key
distribution is secure.
Well as far as I know ssh works pretty well today and this m
I find blanket statements of the form 'Verifiability does not scale'
to be inconsistent with the facts.
We do in fact have a very successful PKI industry with multiple
companies competing in a multi-billion dollar market. The only reason
this is not heralded as the triumph of PKI is that some peop
You do not make problems disappear by declaring them out of scope.
Security systems are social systems. If you have not considered the
business and social issues you haven't got a system.
Security is about people, not protocols.
On Wed, Feb 24, 2010 at 2:30 PM, Shane Kerr wrote:
> Phillip,
>
>
Nikos Mavrogiannopoulos wrote:
>>In general, public key cryptography is scure only if public key
>>distribution is secure.
> Well as far as I know ssh works pretty well today
With plain old DNS, yes, ssh works pretty well today.
However, it should be noted that first ssh connection may be
misdi
Paul Wouters пишет:
DNSSEC declares out of scope:
* the channel where DS records get added to the parent
Is that actually out of scope or just not specified yet?
Out of scope. It is the bootstrap problem. Though with RFC-5011
It is much more than bootstrap problem.
and perhaps draf
Masataka Ohta wrote:
> Nikos Mavrogiannopoulos wrote:
>
>> Not really. I Don't know what you mean by simple nonce, but as I
>> understand dnscurve if implemented properly would have ssh-style
>> authentication.
>
> Ssh without secure public key distribution mechanism is not really
> secure crypto
Nikos Mavrogiannopoulos wrote:
> Not really. I Don't know what you mean by simple nonce, but as I
> understand dnscurve if implemented properly would have ssh-style
> authentication.
Ssh without secure public key distribution mechanism is not really
secure cryptographically.
In general, public k
On Thu, Feb 25, 2010 at 1:07 AM, Masataka Ohta
wrote:
> Mark Andrews wrote:
>
http://tools.ietf.org/html/draft-dempsky-dnscurve-00
>>>
>>>As I read the draft, it seems to me that DNSCurve without Curve
>>>(that is, with 96 bit nonce of DNSCurve as an extended message
>>>ID without elliptic cur
Mark Andrews wrote:
>>>http://tools.ietf.org/html/draft-dempsky-dnscurve-00
>>
>>As I read the draft, it seems to me that DNSCurve without Curve
>>(that is, with 96 bit nonce of DNSCurve as an extended message
>>ID without elliptic curve cryptography) is secure enough.
> Except from players that
In message <4b85b7e5.1000...@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Marc Petit-Huguenin wrote:
>
> > http://tools.ietf.org/html/draft-dempsky-dnscurve-00
>
> As I read the draft, it seems to me that DNSCurve without Curve
> (that is, with 96 bit nonce of DNSCurve as an extended mes
Marc Petit-Huguenin wrote:
> http://tools.ietf.org/html/draft-dempsky-dnscurve-00
As I read the draft, it seems to me that DNSCurve without Curve
(that is, with 96 bit nonce of DNSCurve as an extended message
ID without elliptic curve cryptography) is secure enough.
At 1:50 PM -0800 2/24/10, Marc Petit-Huguenin wrote:
>On 02/24/2010 01:14 PM, Paul Hoffman wrote:
>> At 8:50 PM + 2/24/10, Tony Finch wrote:
>>> On Wed, 24 Feb 2010, Shane Kerr wrote:
DNSSEC declares out of scope:
* the channel where DS records get added to the parent
>>>
>
On 02/24/2010 01:14 PM, Paul Hoffman wrote:
> At 8:50 PM + 2/24/10, Tony Finch wrote:
>> On Wed, 24 Feb 2010, Shane Kerr wrote:
>>>
>>> DNSSEC declares out of scope:
>>> * the channel where DS records get added to the parent
>>
>> Is that actually out of scope or just not specified yet?
>
On Wed, 24 Feb 2010, Paul Hoffman wrote:
> At 8:50 PM + 2/24/10, Tony Finch wrote:
> >On Wed, 24 Feb 2010, Shane Kerr wrote:
> >>
> >> DNSSEC declares out of scope:
> >> * the channel where DS records get added to the parent
> >
> >Is that actually out of scope or just not specified yet?
At 8:50 PM + 2/24/10, Tony Finch wrote:
>On Wed, 24 Feb 2010, Shane Kerr wrote:
>>
>> DNSSEC declares out of scope:
>> * the channel where DS records get added to the parent
>
>Is that actually out of scope or just not specified yet?
What part of DNSCurve did you think was "specified" ye
On Wed, 24 Feb 2010, Tony Finch wrote:
On Wed, 24 Feb 2010, Shane Kerr wrote:
DNSSEC declares out of scope:
* the channel where DS records get added to the parent
Is that actually out of scope or just not specified yet?
Out of scope. It is the bootstrap problem. Though with RFC-5011
On Wed, 24 Feb 2010, Shane Kerr wrote:
>
> DNSSEC declares out of scope:
> * the channel where DS records get added to the parent
Is that actually out of scope or just not specified yet?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH
Phillip,
On Wed, 2010-02-24 at 10:00 -0500, Phillip Hallam-Baker wrote:
> I took a look at DNSCurve. Some points:
>
> * It could certainly win.
> * It is designed as a hack rather than an extension.
> * It considers real world requirements that DNSSEC does not.
>
> On the 'winning' front. Have p
37 matches
Mail list logo