In his session titled “Innovating with the domain name system: New opportunities enabled by trusted key distribution”, Dr. Burt Kaliski Jr, Senior Vice President and Chief Technology Officer, Verisign today threw light on DNS-based Authentication of Named Entities (DANE); a working group formed by ITEF that seeks to replace the aging CA certification model with one based on DNSSEC deployed at the DNS root to simplify and strengthen the distribution of validated credentials from the issuer to the relying party.
Beginning with highlighting the evolution of Internet based applications in India , he termed India as a “Unique Convergence of Different Markets.”
This was followed by a brief introduction of DNS (referred by Dr. Burt as “Phonebook of Phonebooks”) and it’s modus operandi, Dr. Burt pointed out some gaping holes in the existing CA system, like its vulnerability to Man in the Middle attacks, lack of transparency etc. and then proceeded to explain how DANE helps mitigate the same and bring some additional value to secure data transmission on the Internet.
In contrast to certification authorities which have multiple third-party, the premise of DANE (Adding Keys to Phonebooks) is more of a direct interaction between clients and the domains they interact with, secured by DNSSEC (Adding security to Phonebook Entries).
DNSSEC (Domain Name System Security Extension) protects the DNS data from being forged, by first verifying data origin authenticity and then using public key cryptography to preserve its integrity as it moves across the web.
DANE hence verifies TLS handshakes only from DNSSEC- protected data, thereby eliminating the possibilities of MitM attacks and cache poisoning.
Mr. Burt talked at great length about the benefits of DANE for various Internet-hosted applications like e-commerce, online banking, email, VoIP, online software distribution etc. and emphasized how these benefits can only be realized fully by cohesive contributions from the entire internet community, including registries, registrars, registrants, software developers, hosting companies, hardware vendors, etc.
Verisign has been using, as Mr.Burt put it,“top-down key distribution model” to ensure operational deployment of DANE and DNSSEC at smaller zones first; moving to larger zones as it meets compatibility and acceptance among the grass-root community.
Mr. Burt explained how Verisign is helping IT community members drive down the DNSSEC implementation costs by providing various tools, training options, services, support etc.
He also mentioned Verisign’s DNSSEC Interoperability Lab that allows IT community to test the compatibility of their internet and business infrastructure components with DNSSEC in advance to determine the impact DNSSEC might have on the solutions and services they offer.
The traction that DANE protocol has been gaining with time, along with the promise it demonstrates of securing online transactions using DNSSEC, makes its journey and effect it might have in the realm of operational Internet security worth watching.
The next session lined up is “Winning in India – Creating new markets and seizing opportunities” by Rajiv Sodhi, Vice President and Managing Director, Go Daddy at 3:00 PM IST.