Dr Eberhard W Lisse wrote:
I am also struggling finding your point.
More than 20 years ago, I noticed that PKI, including DNSSEC is, not
at all, cryptographically secure subject to MitM attacks on CA or
zone chain, whichI pointed it out for every several years in this ML.
Initially, I was puzzled why PKI is operationally so complicated
with a lot of parameters without any theory to properly determine
proper values for the parameters, which turned out to be that
there can not be any proper values for the parameters because
PKI is not cryptographically secure.
If some CA between you and your peer is compromised, communication
between you and your peer is compromized.
About 10 years ago, diginotar demonstrated that attack on
intermediate CAs possible.
Another evidence for my point is that, DNSSEC assumes actually-not-
so-strong but too costly physical security of intermediate zones,
which means DNSSEC relies on too costly physical security of
intermediate zone and is not cryptographically secure.
Diginotar also demonstrated that costly physical security similar
to DNSSEC TLDs can be compromised and is not secure at all.
It is true that plain DNS is not so secure because birthday
attacks from anyone, not necessarily MitM, can be successful
because of too short (16bits) message IDs.
However, that DNSSEC is not cryptographically secure subject
to MitM attacks means operating costly DNSSEC only to keep
it subject to MitM attacks is not only meaningless but also
harmful to let society give false sense of security as if
DNSSEC were cryptographically secure.
So, let's recognize that DNSSEC is not cryptographically
secure not worth its so high cost and move on to make
DNS with longer message IDs even though DNS must, with
or without DNSSEC, be subject to various MitM attacks.
Which of my points, if any, are you saying, can not be
understood by you not so clealy?
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
