On Wed, Jan 2, 2013 at 9:46 AM, John Day <jeanjour@xxxxxxxxxxx> wrote:
-- Interesting as always.But beyond the illegitimate concerns, there are some important legitimate ones. In particular a country like France has to be concerned that if it gets into a trade dispute with the US that the US administration can't force it into submission by threatening to cut off its connection to the Internet or any other essential communication technology.This is not a theoretical consideration. The reason that there is no central repository for RFID product identifiers is that the French government decided that the proposals on the table would give the US the ability to control the sale of French products by ordering the maintainer of the registry not to publish them. That would effectively make it impossible to sell them through the electronic supply chain. So they made sure that the registry did not happen.Then the RFID folks had written a lousy standard. It is pretty easy to design a decentralized name space methodology, such that no one can control the whole thing. Regulating to protect stupidity interferes with Darwin. ;-)
Which was my on-topic conclusion.
If IETF wants to avoid government level politics then we have to design the technology in such a way that we eliminate or mitigate any control points.
The WebPKI has been successfully deployed precisely because it has sufficient hierarchy to be scalable without establishing a single control point like the PEM proposal.
I don't think we will see DNSSEC or BGPSEC being allowed to propagate unless attention is paid to the legitimate interest of states to avoid technology capture.
DNSSEC does not replace the WebPKI, nor does BGPSEC. But we need all three security layers if we are going to achieve a comprehensive security solution for the Internet. Each technology has a very specific purpose:
BGPSEC: Prevent/mitigate Denial of Service attacks through bogus route advertisement
DNSSEC: Distribute security policy information tied to the Internet naming system
WebPKI: Establish accountability of the parties at the Internet end points.
At the moment we have a broken system because DNSSEC is being sold as a 'free' replacement for WebPKI which is a losing proposition as (1) the cost of deploying DNSSEC is many times the cost of buying a domain validated SSL certificate (2) the real purpose of the WebPKI is to establish accountability which requires a stronger credential than merely having bought a DNS name.
Website: http://hallambaker.com/