--On Monday, August 11, 2014 07:36 +1200 Brian E Carpenter <brian.e.carpenter@xxxxxxxxx> wrote: > On 11/08/2014 06:18, Andrew Sullivan wrote: >> On Sun, Aug 10, 2014 at 05:35:03PM -0000, John Levine wrote: >>> As far as I can tell, we don't have a good word to describe >>> what DNSSEC does. >> >> Nonsense. "This data was not tampered with while in transit >> from the authoritative server to you." That's what it does. > > What people are pointing out is that this is no better, and no > worse, than the seal on a snake oil bottle proving that the > snake oil has not been tampered with since it left the factory. Exactly. > Unfortunately, the average user can easily confuse that with an > assurance that the snake oil will cure your illness. There > isn't much we can do to change that. We can be very careful about the statements and assertions we make. And we can pay attention to how those statements are likely to be interpreted and be even more cautious about those that stretch things a bit. A seal that says "genuine, factory-sealed, snake oil" is different from one that stays "genuine curative for all ills, sealed at the factory by genuine snakes". Similarly, there is a different between "genuine, IETF-approved, snake oil bottle sealing system" and "genuine, IETF-approved, snake oil sealed bottle". The latter two mean the same thing if read carefully enough, but the final one is very easily misinterpreted. I suggest we have some obligation to try to avoid, and help others avoid, the second of each pair. Those issues are, IMO, a great deal more sensitive when we move beyond certification of the integrity (in the "same thing at authoritative server and as received" sense) of DNS responses to using that same set of DNS relationships to certify keys or other material that are used for identity assurance in other environments. Not because the issues are different (although they are, a bit), but because "identity assurance" is popularly interpreted as involving much stronger statements than "correct response to DNS query". john