On 16-05-13 18:37, Russ Allbery wrote: > Wouter Verhelst <wou...@debian.org> writes: >> On 16-05-13 17:42, Russ Allbery wrote: > >>> You could, in theory, switch to DNSSEC, but now you're just replacing >>> one CA cartel with another. > >> Except that with DNSSEC (and DANE), the number of people you have to >> trust is much smaller. > > Right, it depends on what your risk model is. If you're defending against > incompetence and/or commercial greed overriding security practices, DNSSEC > looks a lot more appealing than the CA cartel, since there isn't the same > level of commercial incentive to cut corners and do a crappy job (there's > some, but it's not as bad).
With the CA cartel, you're implicitly trusting some hundreds of companies (most of whom you don't even know) to DTRT. With DNSSEC, you're trusting the DNS root admins, the admins of your TLD and of any intermediate domain that you depend on, and your registrar. I think regardless of what your risk model is, "less people to trust apart from myself" is *always* better than the alternative. That doesn't mean it's perfect, and for some high-value targets anything less than perfection is just not good enough. But that doesn't negate the fact that one alternative outweighs the other. > But if you're defending against governments, > DNSSEC isn't going to help. I think it's best to assume that both the US > and Chinese governments, at least, can make DNSSEC say what they want it > to if they ever needed to. Probably, yes. But if you're trying to defend against (possibly malicious) governments, you've already lost. Nobody has the resources of a government, and you just can't win there. [...] > cryptosystems: vulnerabilities never get better. They only get worse. So > there's some reluctance within the field to adopt a new authentication > system with known attack vulnerabilities even if one thinks one can live > with the current vulnerability. It usually means that vulnerability is > going to get worse over time. True. I wasn't trying to imply that we should go for WebID, or any kind of federated authentication scheme, for critical systems. "Federated" just means "trust people to do whatever", which is a terrible idea whenever one is trying to do real security. However, the one sentence I quoted from your original mail seemed to imply that you consider DNSSEC (and, by extension, DANE) as bad as the CA cartel. That I believe is false, and I just wanted to make that distinction. [...] > according to known practices. The whole point of distributed > authentication is to eliminate that single point of central authority, but > as a result the trust problem becomes almost intractably difficult. Exactly. [...] -- This end should point toward the ground if you want to go to space. If it starts pointing toward space you are having a bad problem and you will not go to space today. -- http://xkcd.com/1133/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51972d77.4040...@debian.org
