To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Mark.Andrews@isc.org
Cc:
namedroppers@ops.ietf.org, dnsop@cafax.se, dnssec@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Tue, 16 Jul 2002 17:07:47 +0200
In-Reply-To:
<200207160504.OAA02957@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: dnssec discussion today at noon
At 2:04 PM +0859 2002/07/16, Masataka Ohta wrote:
>> And what does this have to do with DNSSEC?
>
> The theory explains the reality that public key cryptography
> (including DNSSEC) is not used for serious purposes.
Not used for serious purposes?!? Okay, let's have you run a B2B
website where billions of dollars can be moved with the click of a
single mouse button. Now, we have to ensure that you really are
interacting with the real B2B website and not some clever fake, or
worse, some site that performs a man-in-the-middle attack on you
while you are conducting a real transaction, so that they can later
go in and conduct multiple fake transactions.
How about home banking? Sure, hundreds, thousands, tens of
thousands, etc... of dollars may not be a whole lot of money to you,
but they may be the entire life savings of a family. Multiply that
by 250 million people in the US alone, and you're talking about some
real money.
I'm sorry. I don't buy your argument at all. Not in the least.
I'm not saying that DNSSEC is necessarily the only solution to
the problem, or even the best solution to the problem, or necessarily
even one solution to the problem, but it is at least a step closer to
one solution to the problem, and by working with DNSSEC and seeing
where it works and where it fails, we can get closer to a real
solution.
> Such security is not useful for serious purposes, when no one is
> really responsible if your transactions are spoofed.
Okay, so we can all sue you for billions and trillions of dollars
worth of damages when someone spoofs a DNS response packet which then
leads us to be vulnerable to man-in-the-middle attacks.
> Just as you can rely on people operating name servers, you
> can rely on people operating routers.
No, in both cases. There are a multitude of heinously screwed up
servers in this world, and a multitude of heinously screwed up
routers, too.
If you don't believe me, then believe KC Claffy from CAIDA (see
<http://www.caida.org/outreach/presentations/dns0701/mgp00003.html>).
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.