Linked by Thom Holwerda on Mon 5th Sep 2011 22:26 UTC
Privacy, Security, Encryption So, people from within Iran have hacked the Dutch company DigiNotar, allowing them to issue fake certificates so they could listen in on Iranian dissidents and other organisation within Iran. This is a very simplified version of the story, since it's all quite complicated and I honestly don't even understand all of it. In any case, DigiNotar detected the intrusion July 19, but didn't really do anything with it until it all blew up in their face this past week. Now, the Dutch government has taken over operational management of DigiNotar... But as a Dutch citizen, that doesn't really fill me with confidence, because, well - whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.
Permalink for comment 488737
To read all comments associated with this story, please click here.
Lennie
Member since:
2007-09-22

(sorry, the whole thing became a bit large)

A long time ago there was one CA and people were not all that happy about that either.

DNSSEC (crypto keys for DNS) with DANE (which is a proposed RFC) would be the closest thing to what you talk about, is in a way a single CA-system.

DNS is a hierarchy, it starts at the 'root'.

With ICANN at the top (root) and operations of the crypto handled by ICANN/IANA and Verisign.

The DNS root-servers however are handled by different organisations around the world. One is a large ISP (Cogent), one again is Verisign, one is the RIPE (European IP-addresses organisation), an other is the US department of defense. The list is here: http://www.root-servers.org/

The money to run ICANN comes from the US department of commerce (if I'm not mistaken). Although the department did sign a contract saying they don't interfere with technical operations.

The money from IANA and RIPE comes mostly from the people that need the IP-addresses. IANA is like RIPE, they 'lease IP-addresses' to organisations like ISP's that need them.

While they normally only tell DNS-servers where to find the DNS-servers for .com (which is Verisign) they could in theory point it somewhere else.

However DNSSEC adds crypto in the mix and access to the crypto keys is limited to a bunch of people from around the world.

As you can see it is complicated. ;-)

But there is a root and thus it is kind of similair to a single-CA-system. But a lot of different people and organisations have a say in different parts of it.

A lot of the organisations are US companies (because of historic reasons ofcourse) and thus the US has some power of those organisations.

Not everyone likes that, the Internet should be 'owned' by everyone.

DANE depends on DNSSEC being deployed and that deployment has been slow. Some currently deployed software and firewalls are not compatible. After all it is the largest change to DNS since it was created almost 30 years ago. Just an example, some operating systems and DSL-routers need to be fixed before everyone can use it.

Edited 2011-09-07 10:53 UTC

Reply Parent Score: 2