[infowar.de] UPI 12.04.07: Analysis: Owning the keys to the Internet

[Georg Schoefbaenker <schoefbaenker -! - aon - at>]

Published: April 12, 2007 at 12:52 PM
Analysis: Owning the keys to the Internet
By SHAUN WATERMAN

UPI Homeland and National Security Editor

WASHINGTON (UPI) -- The U.S. government is pressing ahead with plans to 
implement a new security regime for the basic architecture of the World 
Wide Web, despite unease in some corners of the international Internet 
management community.

"This is the U.S. government stepping forward and showing leadership," 
Douglas Maughan, an official with the Department of Homeland Security's 
Science and Technology Directorate, told United Press International.

At issue is the long-debated implementation of a new security system 
governing the Domain Name System, or DNS, the Internet architecture that 
directs surfers to the sites they want to visit. The DNS translates the 
familiar www Web page addresses known as URLs into the numerical Internet 
Protocol, or IP, codes which identify the servers hosting that page.

Because DNS, like much of the Internet, was built with a relatively open 
architecture, it is possible to fake Internet addresses. Various techniques 
for doing this, known to specialists as DNS "spoofing" or "poisoning," are 
widely used by cyber-criminals. They can con people into believing they are 
logging on to their bank or e-mail accounts, entering personal information 
or passwords that can then be used to rob them.

The DNS Security Extensions Protocol, or DNSSec, is designed to end such 
abuse by allowing the instantaneous authentication of DNS information -- 
effectively creating a series of digital keys for the system.

One lingering question -- largely academic until now -- has been who should 
hold the key for the so-called DNS Root Zone, the part of the system that 
sits above the so-called Top Level Domains, like .com and .org.

The U.S. Department of Homeland Security is funding the development of a 
technical plan for implementing DNSSec, and last October distributed an 
initial draft of it to a long list of international experts for comments.

The draft lays out a series of options for who could be the holder, or 
"operator," of the Root Zone Key, essentially boiling down to a 
governmental agency or a contractor.

"Nowhere in the document do we make any proposal about the identity of the 
Root Key Operator," said Maughan, the cyber-security research and 
development manager for Homeland Security.

Maughan said a new version of the draft specification, incorporating 
suggestions from the experts who reviewed it, would be released later this 
year for public comment.

"We are still working through some of the process issues" such as how to 
record and respond to all the public comments, he said, adding he hoped the 
document would be released "no later than the end of the summer."

He said the new version adopts a different nomenclature for the Root Key 
Operator, "to make it clear that a non-governmental organization or 
non-U.S. governmental agency could play the role."

"We recognize that increasing the security of the Internet requires global 
cooperation," stated a note accompanying the draft technical specification 
when it was circulated last year.

Nonetheless, at a recent meeting in Lisbon of the Internet Corporation for 
Assigned Names and Numbers, the international non-profit that currently 
manages DNS, there was some concern that the U.S. government might push 
ahead with implementation unilaterally.

"Our concern is that if unilateral action is taken it could generate 
friction in the operation of the Internet," Bernard Turcotte, president of 
the Canadian Internet Registration Authority, who was at the Lisbon 
meeting, told UPI.

Maughan said that while the U.S. government was committed to implementing 
DNSSec this year in the .gov domain, which it owns, that could be done 
independently, regardless of whether the new security system was rolled out 
Internet-wide or not.

"We can secure .gov and all the zones under .gov (like dhs.gov, or 
usdoj.gov) even if the Root (Zone) remains unsigned," he said, pointing out 
that Sweden had already implemented a digital key for the Country-Code Top 
Level Domain, .se, which it owned.

"You can secure islands of DNS ... we can secure our .gov infrastructure. 
That has nothing to do with the Root Zone Key," Maughan said.

"U.S. government agencies will be among the first to implement DNSSec," 
said Maughan, "This is the U.S. government stepping forward and showing 
leadership."

But he added that the U.S. government regards this as only the first step 
in the deployment of DNSSec globally. "It will take a lot more people to 
get involved to get that done," said Maughan, pledging that implementation 
"as directed by the president in the U.S. National Strategy to Secure 
Cyberspace" would go ahead.

It is that determination that worries some observers.

"To a large extent the Internet works because it is a collaborative 
effort," said Turcotte. "We want to avoid friction and conflict ... We want 
to ensure that whatever measures are implemented are well coordinated."

In part, he said, concern stems from the fact that the U.S. government, 
which currently manages and audits the Root Zone through the Department of 
Commerce and the contractor Verisign, is in a strong position to push ahead 
unilaterally -- something that is resented in some quarters.

"There are some governments that seem upset about that (U.S. role as 
auditor), but there has never been any reason to be. The U.S. government 
has handled its oversight responsibilities very well," he said.

Nonetheless, one report of the Lisbon meeting on an obscure German news Web 
site -- which was widely circulated on the Internet this month -- accused 
the Department of Homeland Security of having demanded "the master key" to 
the Internet.

The report led many so-called Netizens -- members of large and long 
established Internet discussion sites like Slashdot -- to question the 
motives of the U.S. government.

Several contributors suggested that possessing the Root Zone Key would make 
the U.S. government the only entity that could "spoof" DNS addresses.

Maughan dismissed the flap as "silly."

"The only mention of (the Department of Homeland Security) in the (draft 
DNSSec specification) is on the front cover. Our logo is there because we 
funded the development of it," he said.

"The Root Key Operator is going to be in a highly trusted position. It's 
going to be a highly trusted entity. The idea that anyone in that position 
would abuse it to spoof addresses is just silly."



---------------------------------------------------------------------
To unsubscribe, e-mail: infowar -
de-unsubscribe -!
- infopeace -
de
For additional commands, e-mail: infowar -
de-help -!
- infopeace -
de