Stéphane Glondu <glo...@debian.org> writes: > Le 16/05/2013 18:37, Russ Allbery a écrit :
>> Right, it depends on what your risk model is. If you're defending >> against incompetence and/or commercial greed overriding security >> practices, DNSSEC looks a lot more appealing than the CA cartel, since >> there isn't the same level of commercial incentive to cut corners and >> do a crappy job (there's some, but it's not as bad). But if you're >> defending against governments, DNSSEC isn't going to help. I think >> it's best to assume that both the US and Chinese governments, at least, >> can make DNSSEC say what they want it to if they ever needed to. > That might be, but you already have to trust the "DNS cartel" anyway for > resolving domain names (which is needed in WebID, BrowserID, ...). You > don't have to give trust to new entities when using DNSSEC. None of the major authentication systems trust DNS. TLS with X.509, Kerberos, SAML, etc., all support mutual authentication, which means that both sides of the connection can establish the identity of the other independent of any DNS lookup or configuration. So an attacker in control of DNS can effectively do a denial of service attack, if there's no other way to get the IP address you need to connect to, but they can't actually compromise the security of the system. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y5bdd3sc....@windlord.stanford.edu
