[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC - Signature Only vs the MX/A issue.

To: namedroppers@ops.ietf.org
Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
From: Paul Vixie <paul@vix.com>
Date: Sun, 10 Dec 2006 23:04:53 +0000
Delivery-date: Sun, 10 Dec 2006 23:07:26 +0000
Envelope-to: namedroppers-data@psg.com

> > so, here's what i told stuart cheshire: if you believe that the web is all
> > there is to the internet, or you believe that the approach taken for
> > securing https/imaps/smtps is appropriate for all future
> > applications/protocols used on the internet, then it's natural that you
> > would think ssl/tls/x509 is all we need.  i do not think that the
> > ssl/tls/x509 model is futureproof, and so i think that we need something
> > else, something more internet-like.
> 
> One cannot rely on DNSSEC for the whole shebang.  In theory it could be the
> conduit of a web of trust, perhaps that is what you mean?

yes, but dnssec is also a web of trust in its own right, albeit not useful
for "whole transactions" in the sense of e-commerce or web or whatever.

> Which makes the vast amount of effort and brain cycles on it all the more
> puzzling. In the vein of your statement regarding the 'king makers' in the
> browser that annoint X.509 certificate vendors, perhaps there is something
> along those lines happening within DNS?

it's because dnssec makes only one king where there are three, that it is hard
for the world to make traction for it. that is, right now root zone management
is a groupthink process involving icann, us-doc, and verisign, but once there
is a root key, the holder of that key will be the one true king.  meatspace
does not admit the possibility anymore of one true king.

but you touched on something even more important.  x509 succeeded because it
was clear what was at stake and it was clear that investment could pay off.
pgp and dnssec, by not offering a specific and definite fiscal pyramid, don't
offer the kind of investment incentive that's usually nec'y for big things to
be built.  (if not for netscape's profit-motive, i think the web would have
been slower to take off, and if you doubt this, ask bill gates what he was
thinking back in 1996 on this topic.)  (if not for bbn's and later uunet's
profit motives, i think the internet would have been slower to take off, etc.)

> I honestly don't know (it wouldn't seem likely), but it is unclear to me why
> people continue to expend so much time on such a small part of a secure
> internet.

because it's a very important part.  it's an enabling technology for just
about everything else we all want to do.  sadly, it's not the sexy part nor
is it investment-worthy in its own right.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: RE: DNSSEC - Signature Only vs the MX/A issue.
Next by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Previous by thread: RE: DNSSEC - Signature Only vs the MX/A issue.
Next by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread