Re: Web ID as passwordless authentication for debian web services
Stéphane Glondu <glondu@debian.org> writes:
> Le 16/05/2013 18:37, Russ Allbery a écrit :
>> Right, it depends on what your risk model is. If you're defending
>> against incompetence and/or commercial greed overriding security
>> practices, DNSSEC looks a lot more appealing than the CA cartel, since
>> there isn't the same level of commercial incentive to cut corners and
>> do a crappy job (there's some, but it's not as bad). But if you're
>> defending against governments, DNSSEC isn't going to help. I think
>> it's best to assume that both the US and Chinese governments, at least,
>> can make DNSSEC say what they want it to if they ever needed to.
> That might be, but you already have to trust the "DNS cartel" anyway for
> resolving domain names (which is needed in WebID, BrowserID, ...). You
> don't have to give trust to new entities when using DNSSEC.
None of the major authentication systems trust DNS. TLS with X.509,
Kerberos, SAML, etc., all support mutual authentication, which means that
both sides of the connection can establish the identity of the other
independent of any DNS lookup or configuration. So an attacker in control
of DNS can effectively do a denial of service attack, if there's no other
way to get the IP address you need to connect to, but they can't actually
compromise the security of the system.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: