What I hope to cover A. General 1. Security Goal - Goal is cost-effective minimization of risk we can't reduce the risk to zero. - does not assume malevolence (though that is what is most frequently considered) 2. Threats - insider vs. external o NSI has been hit by both. o Insider is by far the most important. o But an outsider can become an insider. - threats to registrars vs threats to coredb - change continuously 3. Distributed/replicated systems multiply the risk. - it's worse than that, of course - therefore COREDB CANNOT TRUST THE REGISTRARS B. Encryption 1. IMO we don't need encryption - information is largely public - encryption across an international enterprise is legally complex 2. We *do* need digital signatures - the supposed usability problems with PK are overstated - technologies used for authentication are much less constrained legally - key management is the big problem o dealing with key compromise o dealing with key distribution C. Design implications 1. External threats - COTS solutions available - basically, firewalls - coredb must be designed to consider registrars as sources of external threats 2. Internal threats - internal to registrar - internal to coredb D. Basic security design of initial system I | ------ ------------- ------ N |---| FW |--------| Front end |-----------| DB | T | ------ | & ftp | ------ E | ------------- R | ----------- N |----| TLD DNS | E | ----------- T | --------- |----| whois | --------- 1. two modes of registrar access - public queries o handled through machines outside firewall - db modification o machines behind firewall 2. email based initially it is easy to go to a more efficient ad hoc protocol later 3. firewall configured to only pass email and zone updates/whois data out to specific sites.