[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Social-discuss] DNSSEC update and client side certificates
|
From: |
Story Henry |
|
Subject: |
[Social-discuss] DNSSEC update and client side certificates |
|
Date: |
Sat, 20 Mar 2010 19:55:54 +0100 |
Hi,
Here are two issues with X509 that were hindrances for a solution like foaf+ssl
to be deployed, but which can and are being fixed:
1. Client Side Certificate selection
------------------------------------
Browsers currently do a very bad job of allowing the user to choose his
certificate (Safari being the absolute worse). As a result I posted "Firefox
Hackers Needed"
http://bit.ly/cQ5f48
earlier this week. @snej who is working at Google put up a picture of a
solution for this in Chrome using a foaf+ssl certificate created by
http://webid.myxwiki.org/
http://bit.ly/azCXTU
Vote for it!
2. Server side certificates
---------------------------
One factor that people mention often with foaf+ssl is that the server has to
have his own certificate. This means registration with a CA which is costly and
tedious and it does not really solve the problems of server authentication as
Dan Kaminsky shows ruthlessly in "Black Ops of PKI" http://bit.ly/4Uwb2K .
To summarise his talk, server security is in a double bind:
1- Dan Kaminsky's DNS poisoning attack which is very well explained by Rick Van
Rein's presentation "Cracking Internet: the urgency of DNSSEC" (
http://bit.ly/2darr8 view with FFox > 3.5 as it uses ogg video) means that a
DNS easily be hacked in 6 weeks, and a lot of money poured into the wrong
people's pockets. So there is a financial incentive to break DNS.
2. The solution of using https with X.509 public key cryptography's backing
cannot work because there is a race to the bottom in the way CA's issue
certificates. For enough money it is not that difficult to become God and to
pretend you are anyone.
Given the above DNSsec has become urgent enough, that it is being deployed.
- verisign will put .com in July http://bit.ly/dyd54E
- .org will be available in June http://bit.ly/abEJ28
- .gov went dnssec in March 2009 http://bit.ly/bH27b0
- The root will be signed July 2010 http://bit.ly/9YQMDJ
- a map of dnssec deployment http://www.xelerance.com/dnssec/
So listening to Dan Kaminsky you would think that he is against X509. Well
certainly it could be improved a lot, but he is not quite as negative as one
may think. X.509 with DNSsec seems to be something he thinks can work.
What he told me after his CCC and HAR talks and what you can see in the last
few minutes of the HAR talk "X509 considered Harmful" http://bit.ly/2darr8 is
that once DNS is secure one could put the X509 (self signed even) certs into
the DNS records. This would bypass the need for CAs. [ I hope I understood him
correctly ]. I am not sure what needs to be done to make this possible with the
browser vendors, but it would massively improve security on the web.
As a result I have fait that the global situation on the internet will only
make foaf+ssl solutions easier and more secure to deploy, enabling a completely
distributed social network to emerge, free and without the spying, as Eben
Moglen author of the GPL said so well recently http://bit.ly/brQmJz
Henry
Social Web Architect
http://bblfish.net/
Social Web Architect
http://bblfish.net/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Social-discuss] DNSSEC update and client side certificates,
Story Henry <=