On Dec 10, 2013, at 6:00 AM, John C Klensin <john-ietf@xxxxxxx> wrote: > While the integrity checks of DNSSEC provide some protection > against some types of attacks on the "data quality" part of the > DNS environment, the attacks they protect against are very > difficult. An attacker with the resources to apply them would > almost certainly find it easier, less resource-expensive, and > harder to detect to attack registry databases (before data are > entered into DNS zones and signed), registrar practices, or > post-validation servers. Non-technical attacks, such as the > oft-cited hypothetical NSL, are easily applied at those points > as well -- much more easily than tampering with keys or > signatures. Dear John, The opacity of CAs, DNS, and BGP place all forms of security at risk! These mechanisms are never stronger than their weakest link. Without burdensome cryptographic checking, no Internet service should be trusted. DANE in conjunction with DNSSEC affords a much needed transparency to expose exchanges at risk. TLS should be considered a two-way certificate exchange resolving domains rather than individuals. For example, a federated service like email lacking two-way certificate checks can not be defended from abuse, nor can privacy of those using such a service be assured. Transparency in the security mechanism should fully illuminate domains, not individuals. TLS and StartTLS contain elements for two-way certificate exchange and can make a needed transition from CAs to DANE while providing a verifiable chain of trust to the controlling domain. Of course, websites have adopted synthetic domains as an alternative for web cookies. When naughty synthetic domains are used, no amount of encryption protects individuals when metadata remains fully apparent. Perpass documents should have included stronger statements about protecting services as apposed to suggesting shortcuts in the guise of affording privacy. No conversation should ever be considered private without first ensuring the controlling domain at each end of the exchange. Regards, Douglas Otis