[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS Algorithm selection and SHA1 deprecation

To: alex@alex.org.uk
Subject: Re: DS Algorithm selection and SHA1 deprecation
From: Chris Thompson <cet1@cus.cam.ac.uk>
Date: Thu, 8 Dec 2005 13:54:49 +0000 (GMT)
Cc: hardaker@tislabs.com, Ed.Lewis@neustar.biz, Mark_Andrews@isc.org, namedroppers@ops.ietf.org
In-reply-to: <7DDBB456EAFD23D2B6EBB34B@Satori.nominet.org.uk> from "Alex Bligh" at Dec 8, 5 01:39:11 pm

alex@alex.org.uk writes:

> Assuming the malefactor has control over an intervening point in the
> network, can he not just prevent the validator from seeing the fact
> there is an SHA-256 record there in the first place? (man in the
> middle attack - remove the packets and introduce just the
> SHA-1 DS record of his choice). This is my assumption - if I'm
> wrong about that, then clearly you are right in the rest of your
> logic.

How would the MoM sign it? Surely the two DS records are part of the same
RRset, and so signed as a single entity.

-- 
Chris Thompson
Email: cet1@cam.ac.uk

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: DS Algorithm selection and SHA1 deprecation
  - From: Alex Bligh <alex@alex.org.uk>

Prev by Date: Re: DS Algorithm selection and SHA1 deprecation
Next by Date: RE: DS Algorithm selection and SHA1 deprecation
Previous by thread: Re: DS Algorithm selection and SHA1 deprecation
Next by thread: RE: DS Algorithm selection and SHA1 deprecation
Index(es):
- Date
- Thread