On 4/10/21 11:31 AM, John Levine wrote:
It appears that Viktor Dukhovni <ietf@xxxxxxxx> said:
Ben's claim that CAs are "more secure" than DNSSEC is demonstrably
in error in a world where all that CAs do is issue DV certs that
attest to "domain control".
More than that, the security of your DNS depends on the providers in
the chain between you and the root, which is typically short, and over
which you have a lot of control. If you have a valuable domain, you
can use a high security registrar that applies controls to zone
changes. With PKI, your security is only as good as the worst of all
of the CAs in someones browser, nearly all of which have no relation
to you and most of which you've never heard of.
This is not a new argument and I doubt we're going to say anything new here.
The jist of my post was not that there was something new, per se but
that there are many companies like google, ms, apple who are in a good
position to run an experiment and see how it pans out from a deployment
standpoint. One of the good things to come out of quic and spdy is the
revelation that if you own both ends of the platform, you don't have to
get buy in to just see if you're on the right track or not. I mean I
could build up an experiment just to show proof of concept, but I don't
have the ability to see in the real world how much it helps like the
real world data they got with quic and spdy.
Heck, maybe even IETF or W3C could have a hand in coordinating
experiments so that they can be fed back to the appropriate working
groups. Like I said, probably the biggest takeaway of quic is that we
can prove whether something deserves more work or not instead of usual
Build it and They Will Come failure mode which DANE seems to be
suffering as well from what I can tell.
Mike
