[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] UPI 12.04.07: Analysis: Owning the keys to the Internet
Published: April 12, 2007 at 12:52 PM
Analysis: Owning the keys to the Internet
By SHAUN WATERMAN
UPI Homeland and National Security Editor
WASHINGTON (UPI) -- The U.S. government is pressing ahead with plans to
implement a new security regime for the basic architecture of the World
Wide Web, despite unease in some corners of the international Internet
"This is the U.S. government stepping forward and showing leadership,"
Douglas Maughan, an official with the Department of Homeland Security's
Science and Technology Directorate, told United Press International.
At issue is the long-debated implementation of a new security system
governing the Domain Name System, or DNS, the Internet architecture that
directs surfers to the sites they want to visit. The DNS translates the
familiar www Web page addresses known as URLs into the numerical Internet
Protocol, or IP, codes which identify the servers hosting that page.
Because DNS, like much of the Internet, was built with a relatively open
architecture, it is possible to fake Internet addresses. Various techniques
for doing this, known to specialists as DNS "spoofing" or "poisoning," are
widely used by cyber-criminals. They can con people into believing they are
logging on to their bank or e-mail accounts, entering personal information
or passwords that can then be used to rob them.
The DNS Security Extensions Protocol, or DNSSec, is designed to end such
abuse by allowing the instantaneous authentication of DNS information --
effectively creating a series of digital keys for the system.
One lingering question -- largely academic until now -- has been who should
hold the key for the so-called DNS Root Zone, the part of the system that
sits above the so-called Top Level Domains, like .com and .org.
The U.S. Department of Homeland Security is funding the development of a
technical plan for implementing DNSSec, and last October distributed an
initial draft of it to a long list of international experts for comments.
The draft lays out a series of options for who could be the holder, or
"operator," of the Root Zone Key, essentially boiling down to a
governmental agency or a contractor.
"Nowhere in the document do we make any proposal about the identity of the
Root Key Operator," said Maughan, the cyber-security research and
development manager for Homeland Security.
Maughan said a new version of the draft specification, incorporating
suggestions from the experts who reviewed it, would be released later this
year for public comment.
"We are still working through some of the process issues" such as how to
record and respond to all the public comments, he said, adding he hoped the
document would be released "no later than the end of the summer."
He said the new version adopts a different nomenclature for the Root Key
Operator, "to make it clear that a non-governmental organization or
non-U.S. governmental agency could play the role."
"We recognize that increasing the security of the Internet requires global
cooperation," stated a note accompanying the draft technical specification
when it was circulated last year.
Nonetheless, at a recent meeting in Lisbon of the Internet Corporation for
Assigned Names and Numbers, the international non-profit that currently
manages DNS, there was some concern that the U.S. government might push
ahead with implementation unilaterally.
"Our concern is that if unilateral action is taken it could generate
friction in the operation of the Internet," Bernard Turcotte, president of
the Canadian Internet Registration Authority, who was at the Lisbon
meeting, told UPI.
Maughan said that while the U.S. government was committed to implementing
DNSSec this year in the .gov domain, which it owns, that could be done
independently, regardless of whether the new security system was rolled out
Internet-wide or not.
"We can secure .gov and all the zones under .gov (like dhs.gov, or
usdoj.gov) even if the Root (Zone) remains unsigned," he said, pointing out
that Sweden had already implemented a digital key for the Country-Code Top
Level Domain, .se, which it owned.
"You can secure islands of DNS ... we can secure our .gov infrastructure.
That has nothing to do with the Root Zone Key," Maughan said.
"U.S. government agencies will be among the first to implement DNSSec,"
said Maughan, "This is the U.S. government stepping forward and showing
But he added that the U.S. government regards this as only the first step
in the deployment of DNSSec globally. "It will take a lot more people to
get involved to get that done," said Maughan, pledging that implementation
"as directed by the president in the U.S. National Strategy to Secure
Cyberspace" would go ahead.
It is that determination that worries some observers.
"To a large extent the Internet works because it is a collaborative
effort," said Turcotte. "We want to avoid friction and conflict ... We want
to ensure that whatever measures are implemented are well coordinated."
In part, he said, concern stems from the fact that the U.S. government,
which currently manages and audits the Root Zone through the Department of
Commerce and the contractor Verisign, is in a strong position to push ahead
unilaterally -- something that is resented in some quarters.
"There are some governments that seem upset about that (U.S. role as
auditor), but there has never been any reason to be. The U.S. government
has handled its oversight responsibilities very well," he said.
Nonetheless, one report of the Lisbon meeting on an obscure German news Web
site -- which was widely circulated on the Internet this month -- accused
the Department of Homeland Security of having demanded "the master key" to
The report led many so-called Netizens -- members of large and long
established Internet discussion sites like Slashdot -- to question the
motives of the U.S. government.
Several contributors suggested that possessing the Root Zone Key would make
the U.S. government the only entity that could "spoof" DNS addresses.
Maughan dismissed the flap as "silly."
"The only mention of (the Department of Homeland Security) in the (draft
DNSSec specification) is on the front cover. Our logo is there because we
funded the development of it," he said.
"The Root Key Operator is going to be in a highly trusted position. It's
going to be a highly trusted entity. The idea that anyone in that position
would abuse it to spoof addresses is just silly."
To unsubscribe, e-mail: infowar -
- infopeace -
For additional commands, e-mail: infowar -
- infopeace -