Re: dane-openpgp 2nd LC resolution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/14/2016 04:18 PM, Paul Wouters wrote:
Yes, you are about 1.5 years late. And your arguments are (un)fortunately
not new arguments. Since the archive on this draft is rather huge, I can
understand that you missed part of this discussion. So for completeness
sake, I will answer your questions again.

Thank you for your patience in explaining your reasoning, and again, I'm sorry for coming late to the party. And thanks as well for confirming that my memory is correct ... at one time I did hear that this topic was going in the direction of signatures rather than certs. Unfortunate that I didn't follow it closer.

Regarding what you said and what your goals are, I think that we are pretty far apart. I will send a detailed response to your message on the DANE list soon. In all likelihood I will also create a new I-D with my ideas specified in more detail. Perhaps what is needed is more than one experiment. :)

In regards to the current last call, while your explanations do help to alleviate a few of my concerns, in large part I am still not enthusiastic about this version of the draft proceeding.

In particular I think the concern about these RRs being used for DDOS amplification remains. There is no mechanism in place currently in any name server software that I am aware of to limit responses to queries in the manner you describe (only send answers if the query comes over TCP or with DNS-Cookies). Further, I don't see that happening any time soon.

Close behind that concern, the larger IETF community (or at least some very vocal segments of it) have serious concerns about this type of opportunistic encryption happening at all, or in my case, without user input. They (and to some extent I) remain unconvinced that your assertion that this type of opportunistic encryption is always better than the current state. Personally, I need to think more about that, but at least in the early stages of an experiment in tying PGP keys to DNS RRs, I'm definitely opposed.

FWIW,

Doug




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]