Re: [saag] : DNSSEC PKI semantics and risks (was tangentially: Last Call: <draft-dukhovni-opportunistic-security-01.txt>)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 7, 2014 at 2:02 PM, Paul Wouters <paul@xxxxxxxxx> wrote:
> On Thu, 7 Aug 2014, Phillip Hallam-Baker wrote:
>
> <trans wg cochair hat on>
>
>
>> The reason TRANS does not currently appear to be relevant to the
>> DNSSEC advocates is that they are simplifying the PKI problem to
>> exclude consideration of the entire class of attacks that TRANS is
>> designed to control.
>
>
> We have had only very preliminairy TRANS DNSSEC discussion so far.
>
> I am not aware of anything being excluded at this point. Some concerns
> raised do relate to the sheer size of DNS and what to log and what not
> to log to keep the log servers alive.
>
> What do you believe has already been excluded from TRANS with respect to
> DNSSEC by DNSSEC advocates?

That is not what I wrote.

What I was saying is that the need for TRANS is not going to be
understood by people who believe that the 500+ DNS registrars are all
trustworthy and that the mechanisms that the now 300+, soon to be
1,000s of registries deploy to ensure that keys are only introduced by
the authorized party will all work without any possibility of error or
attack.


TRANS is the way to deploy DNSSEC.

CAs will be doing CT, the Google has told us we will.

CAs have the infrastructure to walk people through deployment of
cryptographic apparatus.





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]