Some, but not all censorship attempts may be justified. For example, consider the case where you want to discourage users from visiting known phishing sites or domains that have been registered for botnet herders to regain control after a communications loss. We probably don't want that type of filtering added into the ICANN root, but it might well be the sort of thing that an enterprise might want to implement for its internal network. While that type of infrastructure makes a form of political censorship somewhat more straightforward, it only enables a pretty weak form of censorship that is easily evaded. In general, I think we should stop worrying about enabling government censorship in security protocols. If we care about stopping censorship we should build a protocol that is designed from the ground up with the purpose of being censorship proof. Such a protocol would probably use USB keys for transport rather than the Internet or a mixture of Internet and USB. Worrying about incremental possibilities is pointless, the enemy already has far greater capabilities than people worry about. On Sun, Jun 14, 2009 at 10:51 AM, Ralf Weber<rw@xxxxxxxx> wrote: > Moin! > > On 14.06.2009, at 10:35, Florian Weimer wrote: >>> >>> In DNS, the vast majority of DNS resolvers are maintained by hosting >>> providers. Thus no true end-to-end service is possible. >> >> Wrong. The majority of resolvers are maintained by Microsoft. >> Microsoft could ship the KSK for the root to customer machines in a >> security update. As it happens, in this case, the KSK wouldn't even >> be the penultimate key, showing that the debate over who holds the KSK >> is quite pointless. Now that we've got automatic software updates, we >> don't even need a signed root. > > Can you elaborate on that? Last time I checked most of the Windows OS I > know got there resolver IP from the DHCP server which either is the ISPs > resolver, or the address of the broadband gateway, which DNS proxies to > the ISPs resolver. I know how non recursive validating stub resolvers > should work, I just haven't seen them deployed widely. Even business > customers which is the majority of customers we have tend to use our > (the ISP) resolvers directly . That might be also the reason why > governments love to use them to block content ;-). > > So long > -Ralf > --- > Ralf Weber > Platform Infrastructure Manager > Colt Telecom GmbH > Herriotstrasse 4 > 60528 Frankfurt > Germany > DDI: +49 (0)69 56606 2780 Internal OneDial: 8 491 2780 > Fax: +49 (0)69 56606 6280 > Email: rw@xxxxxxxx > http://www.colt.net/ > Data | Voice | Managed Services > > Schütze Deine Umwelt | Erst denken, dann drucken > > ***************************************** > COLT Telecom GmbH, Herriotstraße 4, 60528 Frankfurt/Main, Deutschland * Tel > +49 (0)69 56606 0 * Fax +49 (0)69 56606 2222 * > > Geschäftsführer: Dr. Jürgen Hernichel (Vors.), Rita Thies * Amtsgericht > Frankfurt/Main HRB 46123 * USt.-IdNr. DE 197 498 400 > > > > > > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf