Phillip Hallam-Baker <hal...@gmail.com> writes: >The attack surface is the number of paths that are open to an attacker. > >In the current model there is only one trust path, the PKIX path.
Which isn't so much a path as a twelve-lane motorway with elevated cloverleaf interchanges, twenty-four-hour drive-through catering stops, and large neon signs every few km inviting every attacker to join in. >In the new model, the attacker has a choice of trust paths, the PKIX path and >the DNSSEC path and they can attack either of them. Or you can block off the PKIX motorway and leave only the (possibly) smaller DNSSEC two-lane road. (I'm not sure whether DNSSEC has a smaller overall attack surface than PKIX, but chances are it does because the only security protocol with an even larger attack surface than PKIX is XMLsec, whose attack surface is so huge that it won't fit on the planets surface but actually extends several km out into space). Peter. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
