[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web ID as passwordless authentication for debian web services

On 16-05-13 18:37, Russ Allbery wrote:
> Wouter Verhelst <wouter@debian.org> writes:
>> On 16-05-13 17:42, Russ Allbery wrote:
> 
>>> You could, in theory, switch to DNSSEC, but now you're just replacing
>>> one CA cartel with another.
> 
>> Except that with DNSSEC (and DANE), the number of people you have to
>> trust is much smaller.
> 
> Right, it depends on what your risk model is.  If you're defending against
> incompetence and/or commercial greed overriding security practices, DNSSEC
> looks a lot more appealing than the CA cartel, since there isn't the same
> level of commercial incentive to cut corners and do a crappy job (there's
> some, but it's not as bad).

With the CA cartel, you're implicitly trusting some hundreds of
companies (most of whom you don't even know) to DTRT. With DNSSEC,
you're trusting the DNS root admins, the admins of your TLD and of any
intermediate domain that you depend on, and your registrar. I think
regardless of what your risk model is, "less people to trust apart from
myself" is *always* better than the alternative.

That doesn't mean it's perfect, and for some high-value targets anything
less than perfection is just not good enough. But that doesn't negate
the fact that one alternative outweighs the other.

> But if you're defending against governments,
> DNSSEC isn't going to help.  I think it's best to assume that both the US
> and Chinese governments, at least, can make DNSSEC say what they want it
> to if they ever needed to.

Probably, yes. But if you're trying to defend against (possibly
malicious) governments, you've already lost. Nobody has the resources of
a government, and you just can't win there.

[...]
> cryptosystems: vulnerabilities never get better.  They only get worse.  So
> there's some reluctance within the field to adopt a new authentication
> system with known attack vulnerabilities even if one thinks one can live
> with the current vulnerability.  It usually means that vulnerability is
> going to get worse over time.

True.

I wasn't trying to imply that we should go for WebID, or any kind of
federated authentication scheme, for critical systems. "Federated" just
means "trust people to do whatever", which is a terrible idea whenever
one is trying to do real security.

However, the one sentence I quoted from your original mail seemed to
imply that you consider DNSSEC (and, by extension, DANE) as bad as the
CA cartel. That I believe is false, and I just wanted to make that
distinction.

[...]
> according to known practices.  The whole point of distributed
> authentication is to eliminate that single point of central authority, but
> as a result the trust problem becomes almost intractably difficult.

Exactly.

[...]

-- 
This end should point toward the ground if you want to go to space.

If it starts pointing toward space you are having a bad problem and you
will not go to space today.

  -- http://xkcd.com/1133/
Reply to: