Eric Osterweil

Principal Scientist.

Eric Osterweil is a principal scientist in Verisign’s CTO group. His research focuses on several aspects of internet security and architecture. This includes DNS-based Authentication of Named Entities (DANE), DDoS attacks, BGP routing security, large-scale measurements and evolving trends in internet architectures.

Prior to joining Verisign, Osterweil worked as a software architect and technical team lead at various companies. He is an active member of the Internet Engineering Task Force (IETF) and other research communities. As part of his participation in the community, Osterweil has authored several utilities (SecSpider, RPKISpider, dnsfunnel, Vantages and Ibsh) that have helped facilitate and evolve the deployment of standards, like DNSSEC. Additionally, Eric previously served as the program manager for the Verisign Labs university affiliates program.

Eric received his Bachelor of Arts in computer science and physics from Johns Hopkins University and his doctorate in computer science from UCLA. He completed his thesis work on the Internet Research Lab (IRL) and his dissertation topic was a new substrate for internet-scale security systems called “Measureable Security.”

Recent posts by Eric Osterweil:

Blue Folder With Keyhole on digital background

“What’s in a Name?” Using DANE for Authentication of Internet Services

Do we already have strong security protections for our Internet services? For many years now, we have had numerous cryptographically enhanced protocols. Standards and suites like S/MIME, Transport Layer Security (TLS), IP Security (IPSec), OpenPGP, and many others have been mature for years, have offered us a range of protections and have been implemented by a wealth of code. Indeed, based on these protections, we already count on having “secure” eCommerce transactions, secure point-to-point phone calls that our neighbors can’t listen in on, secure Virtual Private Networks (VPN) that let us remotely connect to our internal enterprise networks, etc.  However, our Internet security protocols have all excluded a very important step from their security analyses; none of them describe a crucial step called secure key learning.  That is, before we can encrypt data or verify signatures, how does someone bootstrap and learn what cryptographic keys are needed?  In lieu of a way to do this, we have traditionally prefaced the security protections from these protocols with techniques like Out of Band (OOB) key learning (learning keys in an unspecified way) or Trust on First Use (ToFU) key learning (just accepting whatever keys are found first), and each protocol must do this separately (and potentially in its own, different, way).  This is because the protocols we use for protections have not formally specified a standardized way to securely bootstrap protocols.