On Thu, Aug 7, 2014 at 2:02 PM, Paul Wouters <paul@xxxxxxxxx> wrote: > On Thu, 7 Aug 2014, Phillip Hallam-Baker wrote: > > <trans wg cochair hat on> > > >> The reason TRANS does not currently appear to be relevant to the >> DNSSEC advocates is that they are simplifying the PKI problem to >> exclude consideration of the entire class of attacks that TRANS is >> designed to control. > > > We have had only very preliminairy TRANS DNSSEC discussion so far. > > I am not aware of anything being excluded at this point. Some concerns > raised do relate to the sheer size of DNS and what to log and what not > to log to keep the log servers alive. > > What do you believe has already been excluded from TRANS with respect to > DNSSEC by DNSSEC advocates? That is not what I wrote. What I was saying is that the need for TRANS is not going to be understood by people who believe that the 500+ DNS registrars are all trustworthy and that the mechanisms that the now 300+, soon to be 1,000s of registries deploy to ensure that keys are only introduced by the authorized party will all work without any possibility of error or attack. TRANS is the way to deploy DNSSEC. CAs will be doing CT, the Google has told us we will. CAs have the infrastructure to walk people through deployment of cryptographic apparatus.