Re: Interim signing of the root zone.

[Markus Stumpf <maex-lists-dns-ietf-dnsop@Space.Net>]

On Tue, Oct 15, 2002 at 10:07:18AM -0400, Edward Lewis wrote:
> Sigh, *is* there evidence that Verisign issues (present tense) wrong 
> certs or do you mean that there is evidence that Verisign once issued 
> (past tense) a wrong cert?   Making a mistake once is inevitable. 
> Learning not to do it again and avoiding a second incident builds 
> character.

Do you know if they don't do it every month with "small unimportant"
incidents that no reporter finds worth writing an article? That we
don't know about it doesn't mean that there is none. Maybe nobody
is trying it hard enough/at all, currently.

> Note too that with CRL's, the incident above was easily rectified - 
> in applications that fully implemented X.509 processing.

Applications doing that correctly I still have to see.

> (The more times the attacker fails, the more chance the attacker has 
> at getting caught before perfecting the attack.)

Naaaa ... come on, it's not the late 80's. I am sure we all know and we
all fear the power of distributed attacks and that there is no real
method currently to make them stop (other than pull the plug of course,
which is /not/ a considerable solution in this case. There's so many open
servers that - if the attackers like - they can carry on an attack for
days/weeks throughout the whole Internet.
What we have seen so far are kids playing around. What do you think will
happen, if someone/a group with a plan, enough theoretical/practical
background and enough money /really/ wants to cause harm? And: I mean
harm just for the purpose of causing harm.

> There are no network police, but there are existing legal 
> jurisdictions.

Where? Think global. There are many countries around the world and they all
have different laws. Some even don't have laws for computer fraud at all.
And: if someone writes such a worm and injects it via public internet
access points (e.g. internet cafes) how do you think you will ever be
able to trace her/him back? Make a holiday trip to Bangkok, there's
public internet at every corner. The PC are usually well equipped, CD
drives and all. Spend some bucks and have fun.

> My point here is - if 
> the attacker is thrown in jail, the attack will stop by then.

Wrong again. Think CodeRed, think Nimda.
Do you think the attacks will stop, just because the originator of the
virus is thrown to jail (if at all possible with local jurisdiction)?

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.