Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] UPI 12.04.07: Analysis: Owning the keys to the Internet

Published: April 12, 2007 at 12:52 PM
Analysis: Owning the keys to the Internet

UPI Homeland and National Security Editor

WASHINGTON (UPI) -- The U.S. government is pressing ahead with plans to implement a new security regime for the basic architecture of the World Wide Web, despite unease in some corners of the international Internet management community.

"This is the U.S. government stepping forward and showing leadership," Douglas Maughan, an official with the Department of Homeland Security's Science and Technology Directorate, told United Press International.

At issue is the long-debated implementation of a new security system governing the Domain Name System, or DNS, the Internet architecture that directs surfers to the sites they want to visit. The DNS translates the familiar www Web page addresses known as URLs into the numerical Internet Protocol, or IP, codes which identify the servers hosting that page.

Because DNS, like much of the Internet, was built with a relatively open architecture, it is possible to fake Internet addresses. Various techniques for doing this, known to specialists as DNS "spoofing" or "poisoning," are widely used by cyber-criminals. They can con people into believing they are logging on to their bank or e-mail accounts, entering personal information or passwords that can then be used to rob them.

The DNS Security Extensions Protocol, or DNSSec, is designed to end such abuse by allowing the instantaneous authentication of DNS information -- effectively creating a series of digital keys for the system.

One lingering question -- largely academic until now -- has been who should hold the key for the so-called DNS Root Zone, the part of the system that sits above the so-called Top Level Domains, like .com and .org.

The U.S. Department of Homeland Security is funding the development of a technical plan for implementing DNSSec, and last October distributed an initial draft of it to a long list of international experts for comments.

The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor.

"Nowhere in the document do we make any proposal about the identity of the Root Key Operator," said Maughan, the cyber-security research and development manager for Homeland Security.

Maughan said a new version of the draft specification, incorporating suggestions from the experts who reviewed it, would be released later this year for public comment.

"We are still working through some of the process issues" such as how to record and respond to all the public comments, he said, adding he hoped the document would be released "no later than the end of the summer."

He said the new version adopts a different nomenclature for the Root Key Operator, "to make it clear that a non-governmental organization or non-U.S. governmental agency could play the role."

"We recognize that increasing the security of the Internet requires global cooperation," stated a note accompanying the draft technical specification when it was circulated last year.

Nonetheless, at a recent meeting in Lisbon of the Internet Corporation for Assigned Names and Numbers, the international non-profit that currently manages DNS, there was some concern that the U.S. government might push ahead with implementation unilaterally.

"Our concern is that if unilateral action is taken it could generate friction in the operation of the Internet," Bernard Turcotte, president of the Canadian Internet Registration Authority, who was at the Lisbon meeting, told UPI.

Maughan said that while the U.S. government was committed to implementing DNSSec this year in the .gov domain, which it owns, that could be done independently, regardless of whether the new security system was rolled out Internet-wide or not.

"We can secure .gov and all the zones under .gov (like, or even if the Root (Zone) remains unsigned," he said, pointing out that Sweden had already implemented a digital key for the Country-Code Top Level Domain, .se, which it owned.

"You can secure islands of DNS ... we can secure our .gov infrastructure. That has nothing to do with the Root Zone Key," Maughan said.

"U.S. government agencies will be among the first to implement DNSSec," said Maughan, "This is the U.S. government stepping forward and showing leadership."

But he added that the U.S. government regards this as only the first step in the deployment of DNSSec globally. "It will take a lot more people to get involved to get that done," said Maughan, pledging that implementation "as directed by the president in the U.S. National Strategy to Secure Cyberspace" would go ahead.

It is that determination that worries some observers.

"To a large extent the Internet works because it is a collaborative effort," said Turcotte. "We want to avoid friction and conflict ... We want to ensure that whatever measures are implemented are well coordinated."

In part, he said, concern stems from the fact that the U.S. government, which currently manages and audits the Root Zone through the Department of Commerce and the contractor Verisign, is in a strong position to push ahead unilaterally -- something that is resented in some quarters.

"There are some governments that seem upset about that (U.S. role as auditor), but there has never been any reason to be. The U.S. government has handled its oversight responsibilities very well," he said.

Nonetheless, one report of the Lisbon meeting on an obscure German news Web site -- which was widely circulated on the Internet this month -- accused the Department of Homeland Security of having demanded "the master key" to the Internet.

The report led many so-called Netizens -- members of large and long established Internet discussion sites like Slashdot -- to question the motives of the U.S. government.

Several contributors suggested that possessing the Root Zone Key would make the U.S. government the only entity that could "spoof" DNS addresses.

Maughan dismissed the flap as "silly."

"The only mention of (the Department of Homeland Security) in the (draft DNSSec specification) is on the front cover. Our logo is there because we funded the development of it," he said.

"The Root Key Operator is going to be in a highly trusted position. It's going to be a highly trusted entity. The idea that anyone in that position would abuse it to spoof addresses is just silly."

To unsubscribe, e-mail: infowar -
de-unsubscribe -!
- infopeace -
For additional commands, e-mail: infowar -
de-help -!
- infopeace -