Re: [dnsext] Trust Anchors

[Paul Hoffman <paul.hoffman@vpnc.org>]

At 10:51 AM -0400 10/26/09, Andrew Sullivan wrote:
>I oppose mandating the use of CLOSEST because, on my reading, it
>imports degrees of trust into a system that is simply not designed
>with degrees of trust in the first place.  I am especially
>uncomfortable with promoting degrees of trust on the implict basis of
>some other property. 

+1. The IETF has seen this kind of feature creep in other security protocols, and the end result is always unexpected behavior for the relying parties. Even in protocols where degrees of trust were built-in from the beginning, namely PGP, the use of degrees were mostly abandoned by users or, worse, used without understanding. Even for pieces that have black-and-white trust but multiple trust anchors with intermediate certificates, it gets ugly really quickly. Just say "path validation with constraints" to a PKIX developer, and see if they cry (or laugh maniacally).

>I oppose removing the section because it is quite plain that the issue
>is not clear to everyone.  Those of us involved in an ICANN RSTEP
>review of PIR's .org plans, for example, were all surprised by this
>interpretation of the RFCs; and while I will happily concede that I am
>often confused (so my own surprise might not be a big deal), I feel
>rather strongly that the other participants' surprise was an
>indication of a serious ambiguity in the specification.  I'd prefer to
>see the inclusion of a mandate for CLOSEST than to see the section
>dropped completely.

+1, for the same reasons. Patrik can say how many times he had to explain this to me, even as we were reading the exact same words at the same time.

--Paul Hoffman, Director
--VPN Consortium