To:
Markus Stumpf <maex-lists-dns-ietf-dnsop@Space.Net>, dnsop@cafax.se
From:
Edward Lewis <edlewis@arin.net>
Date:
Tue, 15 Oct 2002 10:07:18 -0400
In-Reply-To:
<20021015122128.P51431@Space.Net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Interim signing of the root zone.
At 12:21 +0200 10/15/02, Markus Stumpf wrote: >..................Do you still believe ceritifcates issued by VeriSign? >Do you believe data signed with a VeriSign cert is the "original stuff"? >Why? Empirically, each and every time I have ordered something, it has arrived at my location, intact, and with the correct amount charged to my account. >There is evidence they issue wrong certs. One issue has become >famous. How many are there we dont know about? Sigh, *is* there evidence that Verisign issues (present tense) wrong certs or do you mean that there is evidence that Verisign once issued (past tense) a wrong cert? Making a mistake once is inevitable. Learning not to do it again and avoiding a second incident builds character. Note too that with CRL's, the incident above was easily rectified - in applications that fully implemented X.509 processing. >What Masataka Ohta IMHO tries to say is that it is at best nice to >have a signed root zone, but you will not gain /any/ increase in security. The goal of security is to limit the damage of an (unauthorized) action. (With "damage" being inherently "bad stuff.") Significant subgoals of security are to lower the chance (probability) that an unauthorized action will have any impact, limiting the impact to a small set of assets, and limiting the duration of the impact. Signing the root zone means that not only will the attacker need to convince resolvers that it is the true source of the root, but the attacker will also need to be able to forge the signatures. Forging can be done, but that it is yet another steps to be mastered, there is an even lower likelyhood of success. (The more times the attacker fails, the more chance the attacker has at getting caught before perfecting the attack.) (Signing the root zone does not limit damage to a small set of assets on its own.) As far as the third subgoal, the next comment you make comes into play. >And one reason is that if the security is compromised the network >police will not read you your rights and drag you away. It will work >fine, as long as it works. If it fails it fails. Nothing else. There are no network police, but there are existing legal jurisdictions. When someone breaches network security, the impact is on real property. So, when performing a post mortem on an attack, it is important to be able to provide data/information to the appropriate legal jurisdictions describing the incident. If the attacker has been able to "have the key" then that is one more step towards pinning the blame for an attack on someone. (So long as proper rules regarding evidence are followed.) My point here is - if the attacker is thrown in jail, the attack will stop by then. (I could go into jail as a deterrent too.) So, I see that signing the root benefits "security" in that it requires forgery to be added to the attackers arsenal and requires the attacker to hold on to something that may be used against them in a court of law. PS - the roots can limit damage through a key change and proper dissemination of this. This is a rougher thing to accomplish and the attacker might get away with things for a while, but it is a help. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.