In message <20140410141406.GF15925@xxxxxxxxx>, Theodore Ts'o writes: > On Wed, Apr 09, 2014 at 04:15:53PM -0400, Steve Crocker wrote: > > My own opinion is related but not identical. I agree solutions 1 > > and 3 are failures; 1 doesnâ??t provide the trust and 3 doesnâ??t scale. > > Solution 2 is also problematic because the government tends to > > overreach and there isnâ??t a single government. > > > > DNSSEC provides a base platform to build upon. It doesnâ??t claim to > > provide the level of trust the CA system tried to provide. Thatâ??s a > > key strength, not a weakness. > > DNSSEC basically has the same properties as the "race to the bottom > certifying authorities" model, except it's a "race to the bottom of > the DNS registraries" --- and some cases, the same company runs both a > CA and a DNS registry. "Meet the new boss, same as the old boss".... No quite the same. A CA could issue a cert without any checking for any domain. Here you need to be the registrar of record to add records to the registry. Also a registry can only add records for the namespace it manages not any arbitary name. So to get a bad DS added you need to be a corrupt registry or a corrupt employee of registry or you need to compromise the registrants credentials or you need to succeed in transfering the zone to you. The registry can provide some protection for some of these threats. This is a smaller attack surface than the plain CA attack surface. > So if you're willing to disclaim the amount of trust that the CA > system purports to provide, it's really a question of "IPSEC" vs "TLS" > --- i.e., at which layer of the stack you are applying the protection. > > Cheers, > > - Ted > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx