[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] Re: question about dns trust profile
On Feb 5, 2009, at 2:56 PM, Brian Eaton wrote: > On 2/5/09, Peter Davis <peter.davis@neustar.biz> wrote: >> True, but no more so than an A record attack on the DNS for almost >> every >> resource we have. They real test, IFAIC, is a trust in the >> signature keys. >> Anything else is liable to introduce attacks. > > I think the attack exists even with trust in the signature keys. What i was really meaning here, is that the relying party to private key K accepts the policies under which the bearer of key K adheres to (one such policy being: "bearer of K will sign all documents with the same key, the signature indicates adherence (of the document) to (some articulated policies)") > Consider this: > > Same key is used to sign two documents, A and B. > Legitimate DNS entry specifies that resource X maps to document A. > Spoofed DNS entry specifies that resource X maps to document B. True, but if the key location is also in the DNS (as I indicated would be the case for delegated signing), both Document A's location and the Keys for the signature for Document A are both addressed in the namespace of resource x. =peterd
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]