|
Ted, What I like about this message is that you have demonstrated the potential severability of these issues. Things are set up as they are for a matter of scaling. Clearly it ain't perfect, and as one of my mentors would say, that represents an opportunity. It's also pretty clear that we should be reviewing this stuff in consultation with ICANN's SSAC committee. Eliot On 9/12/13 7:21 PM, Theodore Ts'o
wrote:
Fair enough, but if the goal is to prevent pervasive surveillance, simply using a key exchange which provides perfect forward secrecy will do that, even given the pathetic state of https security given the realities of the web and the CA's out there. Still, I agree with the general precept that perfect should not enemy of the better, and DNSSEC certainly adds value. I just get worried about people who seem to think that DNSSEC is a panacea. - Ted |