On Wed, Sep 23, 2015 at 8:55 AM, Philip Homburg <pch-ietf-2@xxxxxxxxxxxxxx> wrote:
But for ordinary e-mail, if we can trust the CA system to protect websites,
why not trust DNSSEC to protect e-mail?
That isn't really the reason to be concerned.
What worries me is that DANE is one way to use DNSSEC to secure things. DANE is not necessarily the best way to apply DNSSEC. DNSSEC is not necessarily the best tool to approach this problem.
And we have the fact that the Snowden documents tell us that $250 million is spent every year on the BULLRUN program to sabotage standards efforts to produce strong crypto.
My #1 concern is that some of the folk behind this proposal have a long history of sharp elbows. As soon as they get an IETF endorsement for their scheme, they then use it to tell other people with other ideas that they must stop working about them, stop talking about them because THE DECISION HAS BEEN MADE.
It is total bullcrap of course. And most of us know not to get suckered in. But that has been done to me repeatedly and I am sick of it. So I would like any document to have a disclaimer at the top of every page saying that this is only experimental and does not commit the IETF to one particular approach.
OK so that said, about using DNSSEC. I don't think it is going to get anywhere because most people don't have the required control over their DNS to make this happen. that might change in the future but people have been trying to put email addresses into DNS records since the first edition of the spec and none of those schemes has been successful.
If you want a scheme that might be used by a few hundred thousand system administrators, well it is better than nothing at all and might be successful. But this is no solution to the problem of pervasive surveillance and people need to be aware of that.