[ih] DNS turtles, DKIM history, was IETF relevance (was Memories of Flag Day?)
John R. Levine
johnl at iecc.com
Wed Aug 30 07:09:05 PDT 2023
On Tue, 29 Aug 2023, Michael Thomas wrote:
>> I don't think I've ever seen the kind of attack that DNSSEC defends
>> against in the wild, certainly not against DKIM records, so in
>> practice it's secure enough. Perhaps by accident we made the right
>> tradeoff. ...
> So yes, it was a mistake. We could have a had a very secure solution with
> proven and widely deployed technology with a pattern that could be replicated
> in other solutions so that we did get complete messes like STIR/SHAKEN and
> its use of x.509 when simple naked public key use would have been completely
> sufficient. ...
I don't disagree that the performance would be OK, but the certs seem like
security theatre. Before LE, the usual way to get a cert signed was that you
paid someone $5 and they emailed a link to hostmaster@<domain> that you
clicked. With LE, either it's a token in a DNS record or on the web site's
home page. If you're worried that hostile parties could fake the DKIM key
record, they could as well fake the MX for the mail or TXT or A for the LE
token. These days it's DNS turtles all the way down.
It's certainly possible to have more secure models for cert signing but when's
the last time you saw a green bar cert?
R's,
John
More information about the Internet-history
mailing list