KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Keith Moore <moore@cs.utk.edu>
Cc: RJ Atkinson <rja@extremenetworks.com>, keydist@cafax.se
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date: Tue, 26 Mar 2002 15:40:58 -0500
In-Reply-To: Message from Keith Moore <moore@cs.utk.edu> of "Tue, 26 Mar 2002 15:02:37 EST." <200203262002.g2QK2bS22513@astro.cs.utk.edu>
Reply-To: sommerfeld@orchard.arlington.ma.us
Sender: owner-keydist@cafax.se
Subject: Re: My take on the BoF session

> Similar attacks are possible with DNSSEC.  The difference is that
> a greater amount of trust will be invested in the system if users
> believe that DNSSEC insulates them from such misrepresentation.

So, when DNSSEC is involved, this attack needs to happen prior to zone
signing -- i.e., the "registration" end needs to be attacked, not
merely the data present on a particular secondary server.

Note also that attacks of this form against commercial x.509 CA's have
been successful in the past.

					- Bill

Follow-Ups:
- Re: My take on the BoF session
  - From: Keith Moore <moore@cs.utk.edu>

References:
- Re: My take on the BoF session
  - From: Keith Moore <moore@cs.utk.edu>

Prev by Date: Re: My take on the BoF session
Next by Date: Re: My take on the BoF session
Prev by thread: Re: My take on the BoF session
Next by thread: Re: My take on the BoF session
Index(es):
- Date
- Thread

Home | Date list | Subject list