To:
Keith Moore <moore@cs.utk.edu>
Cc:
RJ Atkinson <rja@extremenetworks.com>, keydist@cafax.se
From:
Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date:
Tue, 26 Mar 2002 15:40:58 -0500
In-Reply-To:
Message from Keith Moore <moore@cs.utk.edu> of "Tue, 26 Mar 2002 15:02:37 EST." <200203262002.g2QK2bS22513@astro.cs.utk.edu>
Reply-To:
sommerfeld@orchard.arlington.ma.us
Sender:
owner-keydist@cafax.se
Subject:
Re: My take on the BoF session
> Similar attacks are possible with DNSSEC. The difference is that > a greater amount of trust will be invested in the system if users > believe that DNSSEC insulates them from such misrepresentation. So, when DNSSEC is involved, this attack needs to happen prior to zone signing -- i.e., the "registration" end needs to be attacked, not merely the data present on a particular secondary server. Note also that attacks of this form against commercial x.509 CA's have been successful in the past. - Bill