[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Wes Hardaker: opportunistic encryption deployment problems
Henry Spencer writes:
> On Tue, 7 Aug 2001, Michael Thomas wrote:
> > I guess I have to ask a really dumb question. Given the
> > likelihood of DNSSEC any time soon, why don't we just
> > ignore any pretense of authentication with opportunistic
> > encryption and just accept the MITM attack inherent with
> > ephemeral DH exchanges?
>
> We thought about that, but decided that some authentication was better
> than none, especially since it would upgrade transparently to full
> authentication. It's one thing to accept security loopholes as a
> temporary measure, and another to define a protocol that will always have
> security loopholes.
Well... How is this especially different than just
using self-signed certificates and having a wide
open policy? I don't think there's anything protocolwise
that even needs to be done there. Clearly you can upgrade
that by using rooted certs in the future as well.
I guess what bothers me is that you are expecting to
use DNS as a directory service for certs which it
wasn't really intended for thus making an already
complicated situation even more complicated, but
not changing the fundamental situation (PKI are hard).
>
> > Also: it seems to me that expecting
> > a secure DNS isn't actually opportunistic at all: it's
> > trying to assert a different source of (sometimes strong) identity...
>
> This basically boils down to what you think "opportunistic" means. We
> don't see it as meaning "will talk to anybody, no setup necessary" but
> rather "will talk to anybody who's set up for it". Some amount of setup
> is clearly necessary anyway; we'd have liked to be able to talk to an
> IPsec-capable host that's unaware of opportunistic encryption, but it
> isn't possible.
I guess that I view that there's probably an 80/20 rule
here which is being missed: *most* people aren't going
to go to the lengths of creating an active MITM attack
to snoop on boring old every day conversations.
Thus encrypting everything -- by accepting MITM attacks
where there is no pragmatic alternative -- will kill
off all of the passive snooping. Given the advent of
wireless and the worthlessness of certain L2's so-called
security, this is not an academic issue. Trying to insert
an upgrade path back to the mythical global PKI rather
misses the point: if there were such a beast, we could
should be able to use IKE as-is (or at least we ought
to be able to envision how to do that). Also: I
think the MIP experience sez that we ought to
consider whether we'd want such a PKI even if
it were possible.
Mike
Follow-Ups:
References: